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Final documentation of the Safety in Earth Orbit Study is submitted by 
the Space Division of North American Rockwell Corporation to the National 
Aeronautics and Space Administration, Manned Spacecraft Center, Houston, 
Texas, in compliance with DRL Line Items 3 and 4 of NASA-MSC Contract 
NAS9-12004. 

The 12-month study was performed for the NASA Manned Spacecraft Center 
by the Space Applications Programs organization at the Space Division of 
North American Rockwell. Mr. P. E. Westerfield of the Safety Office was the 
NASA technical manager. 

Documentation of the study results is as shown in the following table. 
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1.0 INTRODUCTION 


Most of the manned spaceflight programs planned by NASA for the late 
1970’s and 1980's are concentrated on earth orbital operations. These will 
use the shuttle and a variety of manned and unmanned payloads delivered to 
orbit by the shuttle. 

The Safety in Earth Orbit Study examined five specific safety issues 
associated with these operations. The study logic used is shown in 
Figure 1-1. The five issues were studied as five separate tasks and these 
were performed in the order shown. 
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This volume presents the technical analysis for the first three tasks, 
which are shown by the heavy outline in the study logic. These three tasks 
used hazard/emergency analyses as a prime technique for generating safety 
requirements and guidelines. These latter form an important part of the study 
output, and are documented separately in Volumes IV and V of this report. 

1.1 SCOPE 

The study scope covered the vehicles shown in Figure 1-2. 



SHUTTLE ORB I TER 


SHUTTLE PAYLOADS SPACE STATION 


•INTEGRAL TANK 
•DROP TANK 


• SORTIE MODULES -INITIAL (6-MAN) 

•SATELLITES • GROWTH (12-MAN) 

• UPPER STAGE VEHICLES 


Figure 1-2. Vehicles Considered in Study 

Initial tasks were based on the integral tank shuttle orbiter, but emphasis 
was later switched to the drop tank orbiter as this concept developed. The 
assumptions made were broad enough that no results were invalidated by this 
change. 

Shuttle payloads considered included manned and unmanned sortie payloads 
(i.e., attached to the orbiter), satellites delivered to earth orbit, and 
potential upper stage vehicles, such as the tug, Agena, Centaur, etc., used to 
deliver unmanned payloads to orbits beyond the orb iter's capabilities. 

The space stations considered were modular stations delivered to earth 
orbit and assembled by the orbiter. Initial 6-man versions and growth versions 
with up to 12 men, as defined in recent Phase B studies, were studied. 
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To the maximum extent possible, the analyses were performed with the min- 
imum configuration oriented and operational assumptions possible, in order to 
have the results applicable over as wide a range of changes from currently 
planned programs as possible. 

Within the scope of the vehicles described, the study is bounded by the 
following study ground rules: 

• The main concern is personnel safety. A lesser emphasis was 
placed on avoiding damage to or loss of the vehicles. 

• The analysis was confined to the manned on-orbit phase of 
missions. Launch, boost, deorbit, reentry and landing of 
the orbiter, or unmanned operations of the station and 
upper stage vehicles away from the orbiter were not con- 
sidered. 

• The study results cover only the specific concerns of the 
study. They must not be assumed to cover all safety 
aspects of the relevant vehicles. 

1.2 STUDY OBJECTIVES 

The study concerned itself with five specific issues. These issues and 
their objectives are: 

1. Hazardous payloads . The objective was to identify hazards 
associated with certain orbiter payloads and to determine 
safety requirements and guidelines. 

2. Docking . The objective was to compare a number of different 
approaches for docking an orbiter to a space station, and to 
recommend the methods preferred from a safety point of view. 

3. On-board survivability . The objective was to determine the 
configurational and other requirements for the orbiter, 
sortie module and space station to allow personnel to survive 
on-board emergencies . 

4. Tumbling spacecraft . The purpose was to determine practical 
means for arresting the motion of out-of-control tumbling 
spacecraft by external means, or to allow on-board personnel 
to escape from a spacecraft if tumbling cannot be arrested. 

5. Escape and rescue . The objective was to determine the applic- 
ability of previous or new concepts for escape, rescue and bail- 
out survivability to the orbiter, sortie modules and space station. 

This volume presents the technical analyses for the first three tasks. 

The last two tasks are reported in Volu&e III of this report. 
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1.3 RELATIONSHIP TO OTHER STUDIES 

The Safety in Earth Orbit Study was performed in the context of a wide 
range of related studies. This relationsuip is show.. un Figure 1-3. 

The most important wf these studies are the Phase B studies on the space 
station, shuttle and RAM (Research and Applications Modules). These studies 
were the main sources of data on the station, shuttle and sortie module, 
respectively. Phas z A studies on the Tug, Orbit-to-Orbit Shuttle (00S) and the 
Chemical Interorbital Shuttle, and systems studies on the Orbital Operations and 
the In-Space Propellaru Logistics Studies provided additional information, both 
on relevant hardware elements and on operational modes. 

A good interchange of information was possible with all these studies for 
which NR was a prime contractor (sub contractor on the RAM). The interchange of 
information and ideas generally flowed in both directions. This interchange was 
particularly fruitful with the Orbital Operations Study and the safety portion 
(Phase 2) of the ISPLS study. 

Additional safety background was obtained fiom earlier safety studies by 
Boeing (on the space station), Lockheed (on the shuttle), and from ongoing 
studies by the Aerospace Corporation (on the shuttle and on escape and rescue). 

A particularly useful cooperative effort was also established with the Pennsyl- 
vania State University on the dynamics of tumbling spacecraft. 
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Figure 1-3. Relationship to Other Studies 
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1.4 BASELINE MODEL 

The baseline model discussed in this section describes typical shuttle 
orbiter configurations, shuttle missions, and the interfaces with the shuttle 
payloads, sortie modules, and the space station. 

While this model is typical, many variations have been or are being con- 
sidered. The attempt has been made to make the results of the entire study as 
insensitive to the concepts, configurations, operational modes, design details, 
and program schedules as possible, so as not to invalidate the study as the 
space program evolves. This has been done by dealing with the problems para- 
metrically, and not typing the analyses to specific designs, sizes, or missions. 
The description of the baseline model that follows, therefore, should be read 
as c scribing typical current concepts, and not the concepts assumed for the 
s tudy . 


1.4.1 Typical Shuttle Mission 

A typical shuttle mission, shown in Figure 1-4, was generated from NR 
Phase B shuttle data to identify approximate projections of shuttle functions 
and timelines, and to illustrate the scope of this study within the shuttle 
mission. Earth orbit is interpreted for purposes of the study as encompassing 
that portion of the mission that starts with orbit injection and terminates with 
deorbit. On-orbit time can be up to 30 days. 


SAFETY IN EARTH ORBIT 



Figure 1-4. Typical Shuttle Mission 


5 


SD 72-SA-0094-2 







Space Division 

North American Rockwell 


At launch (t Q ) the orbiter and booster are mated and remain mated until 
staging, at which time separation occurs and the booster flies back to a landing 
site, while the orbiter initiates a main engine bum to effect injection into a 
93 by 185 km (50 by 100 n mi) orbit at approximately t 0 + 9 minutes. Immediately 
after post-insertion checks on orbiter subsystems, the orbiter cargo bay doors 
are opened to expose the orbiter space radiators on the inside of the cargo bay 
doors to space. This occurs at approximately 9 to 40 minutes aft?r launch. At 
approximately 50 minutes, the apogee of the 93 by 185 km (50 x 100 n mi) orbit 
is obtained and a circularization bum is performed to circularize the orbiter 
in the 185 km (100 n mi) phasing orbit. After initial phasing relative to the 
target vehicle is accomplished, rendezvous and phasing adjustments are made dur- 
ing a series of Hohmann transfer bums to a circular orbit approximately 18.5 km 
(10 n mi) below the target vehicle. Final phase adjustments are made prior to 
initiating the terminal phase initiation bum to complete the rendezvous, station- 
keeping, and docking operations. 

During the subsequent on-«.rbit stay time at the target vehicle orbit, the 
orbiter can either be attached to or can station-keep at a safe distance from 
the target vehicle. 

Shortly before deorbit, phasing with a landing site is accomplished, 
system checks are made, and the cargo bay doors are closed. The deorbit bum 
which follows will result in entry to the earth’s atmosphere at approximately 
122 km (400,000 feet) and subsequent approach and landing at the preselected 
landing site. 

It is significant to note that the orbiter cargo bay doors would be closed 
for only 1/2 hour to 1 hour while on orbit for a shuttle mission of any dura- 
tion. 


1.4.2 Typical Orbiter Model 

The primary orbiter concepts considered in the study are shown in Figures 
1-5 and 1-6. The integral tank orbiter concept resulting from NR Phase B 
shuttle studies is shown in Figure 1-6 and includes such features as a 4.6 m 
15-f t-diameter by 18.3 m 60-ft-length cargo bay with hinged cargo bay doors, 
two manipulators with peripheral illumination, visual and operating aids, a 
manipulator operator station, and an airlock docking port which interfaces with 
the crew and passenger compartments and with a personnel transfer port leading 
to the cargo bay. This configuration includes integral LH 2 and LO 2 propellant 
tanks for the main propulsion system used for orbit injection, and the auxiliary 
propulsion system used for orbit maneuvering and attitude control* An air- 
breathing propulsion system, which employs JP fuel and turbofan engines, is 
incorporated to provide the capability for short-duration powered descent after 
vehicle entry, powered landing and go-around, and vehicle ferry operations. 

The drop tank orbiter configuration resulting from NR Phase B extension 
studies is shown in Figure 1-6 and differs from the previous configuration 
primarily in that it features an external jettisonable LO 2 /LH 2 ascent propellant 
tank, employs storable hypergolic propellants (nitrogen tetroxide and Aerozine 
50) for the orbit maneuvering and attitude control systems. It is a lighter 
vehicle than the integral tank orbiter with a geometry which required relocation 
of the airlock docking port to the nose of the vehicle. 
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Figure 1-6. Drop Tank Orblter Concept 
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The initial MDAC orbiter concept, which is similar to the NR integral 
tank orbiter, also employs integral LO 2 and LH 2 propellant tanks. However, a 
rotation payload deployment mechanism concept is used in lieu of an articulating 
manipulator, as shown in Figure 1-7. 



Figure 1-7. MDAC Payload Deployment Mechanism 
1.4.3 Typical Orbiter Payloads 

Orbiter payloads considered in the study include the following: 

1. Unmanned pallet- type sortie payloads, which remain attached 
to the orbiter. These may remain in the cargo bay, or be 
deployed out of it for exposure to space. 

2. Manned sortie modules, which remain attached to the orbiter. 
These also may remain in the cargo bay, or be deployed out of 
it during orbital operations. These may be flown combined 
with an unmanned pallet payload. 

3. Automated payloads. These include satellites and subsatellites 
delivered to orbit by the orbiter and operate detached from the 
orbiter. These also can be retrieved for servicing or return 
to earth. 

4. Upper stage vehicles with their payloads. These are used as a 
shuttle third stage to deliver payloads beyond the orbiter's 
capability. The upper stage vehicles considered as candidates 
include: 

o Agena 
o Centaur 
o Burner II 
o Trans tage 

o Apollo service module (SM) 
o Tug or orbit-to-orbit shuttle (00S) 
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The Centaur, tug, and 00S, and possibly the SM, are coi.jldered reusable 
and may be retrieved. The others are expendable. These include the modules 
required for buildup of the permanent station, cargo modules for logistics 
resupply, experiment modules, and replacement modules as required. All these 
modules are returnable to earth in the orbiter. 

1.4.4 Typical Space Station Model 

The primary modular space station (MSS) concepts being considered by NR 
and MDAC for the initial station are shown in Figures 1-8 and 1-9. As shown 
in Figure 1-8, the NR initial station consists of nine modules requiring a 
like number of shuttle flights for the station buildup. Similar data for the 
MDAC initial modular station are presented in Figure 1-9. 


10 


8D 72-8A-0094-2 





Space Division 

North American Rockwell 



IOC - 6 MEN 


Launch No. 






Module 

Module Elements 

Core 

Power generation and conversion, IVA/EVA air- 
lock, guidance and control, reaction control, 
consumables 

Power 

Solar array, emergency hatch, GN 2 , GO 2 

Control/Crew 

Control center, personal hygiene, data analysis, 
commander/exec stateroom isotonic exercise area, 
photo lab, crew stateroom, waste management 
equipment 

ECS/ Labs 

Environmental control and life support equip- 
ment, nadir airlock, mechanical lab, optical/ 
electrical lab, bioscience/earth observation 
laboratory 

ECS/ Labs 

Environmental control and life support equip- 
ment, zenith airlock, galley, dining and 
recreation, physics/biomedical lab 

Control/ Crew 

Control center, personal hygiene, medical and 
crew care, cowmander/executive stateroom, crew 
stateroom 

Crew/Cargo 

Crew, propellants, consumables 

RAM 

Experiments 

RAM 

Experiments 


Figure 1-8. NR Modular Space Station 
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Launch No. 

Module 

Module Elements 

1 

Power/ Subsystems 

Solar array, propellant tankage, system 
communication, data management, displays/ 
controls, onboard checkout, pump-down 
accumulator, atmosphere supply, control 
moment gyros, guidance and control, hori- 
zon sensor, electrical power supply, 
reaction control 

2 

Crew/ Operations Module 

Crew quarters, electronics, hygiene, 
command control console, gal ley/ wardroom, 
crew quarters, food storage 

3 

General Purpose 
Laboratory 

Data evaluation, secondary and experi- 
ment control consoles, airlock chamber 
and controls, biomedical lab, optical 
lab, isolation and test lab, EVA airlock, 
airlock chamber, mechanical sciences lab, 
hard data processing facility, electrical/ 
electronics lab 

4 

Logistics Module 

Propellant cargo, liquid and gas cargo, 
solid cargo, cargo handling aids, crew 
transfer tunnel, and airlock 


Figure 1-9. MDAC MSS Buildup Sequence/ Initial Station 
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2. 0 HAZARDOUS EARTH ORBITAL SHUTTLE PAYLOADS, 
CARGO TRANSFER, AND HANDLING 


Many different kinds of payloads will be carried into orbit in the orbiter 
cargo bay. The purpose of this task was to identify, analyze, and recommend 
solutions of the hazards resulting from (a) the delivery, deployment, and 
retrieval of hazardous payloads, and from (b) the transfer and handling of 
general types of cargo. Three particular areas of concern were investigated 
since they concern the safety of the orbiter and its crew and passengers 
while in orbit. These areas and the sections in which they appear are: 

• Upper stage vehicles as they are transported in the orbiter cargo 
bay, deployed, and retrieved. These vehicles include expendable 
stages, mainly using storable or solid propellants, and reusable 
cryogenic stages. Hazards, specific to on-orbit orbiter aborts 
are included. (Section 2.1) 

• Hazardous fluid vessels transported and off-loaded in earth orbit 
in the orbiter as cargo or as part of a payload. Orbiter on-or^»it 
abort hazards are included. (Section 2.2) 

• The handling and transport of cargo between the orbiter, sortie 
modules, and Space Station. (Section 2.3) 

The technical analyses for these three subtasks are reported in 
Sections 2.1, 2.2, and 2.3, respectively. Section 2. 5 summarizes the 
residual hazards from this task and how they are resolved. Hazard/ 
emergency analyses are contained in Appendix B of this volume. 

The primary output of this task is the set of recommended require- 
ments and guidelines. These are contained in Volumes IV and V of this 
report. A set of conclusions, based on the hazard/emergency analyses and 
the other supporting analyses of Appendix A, is given in Section 2.4, together 
with the supporting rationale. 

It is believed that the assumptions inherent in this task are few and 
simple. These are: 

• The Shuttle orbiter has the capability to operate in earth orbit 
independently of other vehicles in orbit, of the payload, or of 
the ground. 
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• The orbiter has the inherent capability to return to earth with all its 
crew and passengers. 

• The orbiter payloai or payloads are carried in a single cargo bay. 
This cargo bay is protected during boost and reentry by a cargo bay 
door or doors, which form a part of the orbiter, and can be opened 
and closed by the orbiter crew. The cargo bay is not pressurized 
or pressurizable in orbit. 

• The orbiter has the capability to deploy payloads out of the cargo 
bay, when required, and to retrieve and stow recoverable modules 
and payloads. 

• The orbiter and Space Station have docking capability. 

So long as these assumptions remain valid, the results of this task 
should be applicable. In addition, assumptions applicable to specific 
hazards /emergency analyses have been recorded individually in the par- 
ticular analyses (see Appendix D). 

2. 1 UPPER STAGE VEHICLES AS SHUTTLE PAYLOADS 

The purpose of this subtask was to identify the hazards associated 
with the transportation, deployment, and retrieval in earth orbit of upper 
stage vehicles, and to determine the safety measures required to deal with 
these. Both expendable stages and reusable stages were considered. The 
orbiter on-orbit abort hazards subsequent to these types of payloads were 
also analyzed. 

A large range of upper stage vehicles is currently being considered 
for use in the shuttle orbiter. These stages will be used to launch unmanned 
payloads into higher orbits than the orbiter capability. Both existing 
vehicles such as the Agena and Centaur, modified existing vehicles such as 
Agena's and Centaur's with larger tanks, and new vehicles such as orbit-to- 
orbit shuttle (OOS) and the tug, are being considered. Ir general, only the 
cryogenic stages (Centaur, OOS and tug) are being considered reusable, 
but the Apollo service module could also be reusable. In addition to the 
liquid propellant stages, a solid propellant stage (Burner II) was also con- 
sidered in the study as typical of solid stages. 

Sections 2. 1. 1 and 2. 1. 2 identify potential hazards. Appendix A con- 
tains some specific supporting analyses. The hazard/emergency analyses 
and the resulting requirements and guidelines are contained in Appedix D 
and in Volumes IV and V of this report. 
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2. 1. 1 Hazardous Elements of Upper Stage Vehicles 

The upper stage vehicles considered in this subtask were: 

• Agena 

• Centaur 

• Transtage 

• Burner II 

• Apollo service module 

• Orbit -to -orbit Shuttle (OOS) /tug 

It is believed that the hazards identified from these vehicles are 
typical of all upper stage vehicles that may be carried in the Shuttle orbiter 
in the foreseeable future. The modified versions of the Agena and the 
Centaur as presently conceived differ only in the sizing of the tanks. The 
subsystems will be the same as on the current stages. The OOS and the 
tug at the time this report was prepared were in Phase A Definition and 
therefore exact data on the subsystems to be used are not available. How- 
ever, the results of the Phase A studies at North American indicate that 
the OOS /tug hazards are fully covered by the other vehicles considered. 

Hazardous elements of the upper stage vehicles considered are listed 
in Table 2-1. 

2. 1. 2 Identified Hazards 

Potential hazards were identified by considering the hazardous 
elements of each upper stage vehicle (Section 2. 1. 1) and potential failure 
modes as applicable to each operation (Appendix A). These potential 
hazards are listed for each upper stage vehicle in Tables A-4 through A- 8, 
listed by mission phase. Because of lack of detailed hardware definition, 
hazards for the OOS /tug have not been identified in this detail, but the 
Centaur hazards may be regarded as typical of the OOS /tug. 

The individual hazards (identified in Tables A-4 through A-8 of 
Appendix A) were consolidated into 15 classes of hazards, applicable in 
general to all the upper stage vehicles. The hazard/emergency analyses 
of Appendix D of this report were performed for each of these classes of 
hazards. 

These 15 classes of hazards are: 

1. 1. 001 Explosion /rupture of a pressurized container in an upper 
stage vehicle inside or near orbiter. 
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1 . 1 . 002 
1. 1. 003 
1. 1. 004 

1. 1.005 

1 . 1 . 006 

1. 1.007 

1. 1.008 

1. 1. 009 

1 . 1 . 010 
1 . 1.011 

1 . 1 . 012 

1. 1. 013 

1. 1. 014 

1. 1.015 


Combination of mutually reactive upper stage vehicle fluids 
leading to explosion or fire inside or near orbiter. 

Inadvertent detonation of explosive charge on upper stage 
vehicle inside or near orbiter. 

Rapid decomposition of monopropellants located in or 
leaking from the upper stage vehicle while inside or near 
orbiter. 

Uncontrolled combustion in active upper stage vehicle 
reaction control engines while near the orbiter. 

Leakage of corrosive fluids from upper stage vehicle tanks 
while inside the orbiter. 

Inadvertent start of an upper stage vehicle main or reaction 
control rocket engine while inside orbiter cargo bay. 

Inadvertent separation of an upper stage vehicle attach 
point while in the orbiter. 

Loss of attitude /translation control of upper stage vehicle 
upon release from orbiter. 

Hangup of upper stage vehicle during release from arbiter. 

Rupture of common bulkhead tanks in upper stage vehicle 
while in or near orbiter. 

Loss of pressurization in pressure stabilized upper stage 
vehicle structure while in or near orbiter. 

Inability to dump propellants or pres sur ants in retrieved 
upper stage vehicle. 

Inability to dump upper stage vehicle propellants or pres- 
surants during orbiter abort. 

Inability to close cargo bay doors after retrieval of upper 
stage vehicle because of interference with upper stage 
vehicle. 


The numbers refer to the hazard /emergency analyses in Appendix D 
of this report, in which these are analyzed. 


16 


SD 72-SA-0094-2 


.r-j* 




Space Division 

North American Rockwell 


Table 2-1. Hazardous Elements of Upper Stage Vehicles 


Fluid Propel lantsT 


Agena 


Centaur 


Trans t age 


Burner II 


SM 


QOS /Tug 


Nitrogen Tetroxide 
Aerozene -50 
Hydrogen Peroxide 
Liquid Oxygen 
Liquid Hydrogen 
Monomethyl Hydrazine 
Water/Glycol 
Unsyranetrical Dimethyl 
Hydrazine 

Inhibited Red Fuming Nitric 
Acid 

Pressurized Containers: 


Helium Tanks 
Nitrogen Tanks 
Nitrogen Tetroxide Tanks 
Aerozene -50 Tanks 
Hydrogen Peroxide Tanks 
Liquid Oxygen Tanks 
Liquid Hydrogen Tanks 
Mor omethyl Hydrazine Tanks 
Water/Glycol Tanks 
Unsymmetrical Dimethyl 
Hydrazine 

Inhibited Red Fuming Nitric 
Acid 

RCS Propellants : 


Aerozene -50 + Nitrogen 
Tetroxide 

Monomethyl Hydrazine + 
Nitrogen Tetroxide 
Hydrogen Gas + Nitrogen 
Tetroxide 

Corrosive Fluids: 


Nitrogen Tetroxide 
Hydrogen Peroxide 
Liquid Oxygen 

Inhibited Red Fuming Nitric 
Acid 


X 

X 


X 

X 


X 

X 


X 

X 

X 


X 

X 

X 


X 

X 


X 

X 


X 

X 

X 

X 


X 

X 

X 

X 

X 

X 


X 

X 

X 

X 

X 

X 

X 

X 


X 

X 


X 

X 


X 

X 
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Table 2-1. Hazardous Elements of Upper Stage Vehicles (Cont) 



Agena 

Centaur 

Transtage 

Burner II 

SM 

OOS/Tug 

Pyrotechnics: 







Connections Between Modules - 
Cutters 
Helium Valves 

X 


X 


X 


Solid Propellant Igniters 
Turbine Start Solid Pro- 

X 



X 



pell ant Charges 
Explosive Bolts - Payload 

X 

X 

X 

X 

X 

X 

Separation 

Linear Shaped Charge - Panel 

X 

X 



X 


Separation 

Destruct Shaped Charges 

X 

X 

X 

X 

X 

X 

External Extensions - 





X 


Antennae 







Rocket Engines: 
(Qty. Indicated) 







Main Engine 

1 

2 

2 

1 

1 

1-4 

RCS Engine 


8 

12 

4 

16 

20 

Stability Source: 







Gyro Reference 

X 

X 


i 

X 


X 

Accelerometers 

X 

X 





Computer/Flight Control 

X 

X 


X 


X 

Attachment Methods : 


1 





Explosive Bolts 
Linear Shaped Charge 
Not Defined 

X 

X 

X 

X 

X 

X 

Attitude Hold/Translation 







Capabilities: 







Translation - Main Engine 

x(D* 

X(1) 

X(l) 

X(1) 

X(l) 

X(l) 

-RCS 

- Auxiliary 


x(l) 

x Cl) 

X(2) 

X(6) 

X(6) 

Attitude Hold - RCS Couples 





X 

X 

- Off-Center 

X 

X 

X 

X 



* ( ) Number of directions 
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2. 2 HAZARDOUS FLUID VESSELS AS SHUTTLE PAYLOADS 

The purpose of this subtask was to identify the hazards associated 
with the various fluid vessels which may be transported in the Shuttle orbiter 
cargo bay as part of a payload, and to determine the safety requirements 
and guidelines to deal with these hazards. 

In general, hazards exist either because the fluid is inherently hazard- 
ous, e. g. , toxic or corrosive, or because of the conditions under which it is 
transported; e. g. , at high pressure or as a cryogen. The Shuttle crew or 
passengers are normally only directly exposed to the hazard when a manned, 
pressurized experiments module is carried on the orbiter as part of a sortie 
module. Situations in which crew or passengers have exposed themselves 
to the hazardous fluids in extravehicular activity (EVA) have also been con- 
sidered. The main safety concern has turned out to involve damage to the 
orbiter, particularly the cargo bay area; and this, of course, jeopardizes 
personnel safety indirectly by precluding return to earth. 

A major area not covered in this study is the transportation into space 
by the Shuttle of large quantities of propellants for logistic resupply of such 
vehicles as a tug, orbital propellant depot, and chemical or nuclear propul- 
sion stages. The reason is that the entire subject of logistics resupply of 
propellants and propellant transfer is being studied in a concurrent NASA 
study at the Space Division, In-Space Propellant Logistics and Safety Study, 
Contract NAS8-27692. Project II of this study is specifically concerned 
with the safety aspects. 

Sections 2. 2. 1 to 2. 2.4 identify hazardous fluids involved in the 
orbiter payloads (except upper stage vehicles, which were covered in 
Section 2. 1). Section 2. 2. 5 summarizes the hazards, and the remaining 
sections contain some specific supporting analyses. The hazard/emergency 
analyses are contained in Appendix D and the resulting requirements and 
guidelines in Volume IV and V of this report. 

2. 2. 1 Hazardous Experiment Fluids 

Hazardous experiment fluids were identified by a review of Volumes II 
through VIII of the Blue Book, Preliminary Edition of Reference Earth 
Orbital Research and Applications Investigations, 15 January 1971. This 
document was selected because it is used as a baseline NASA document to 
define a manned spaceflight research capability to be conducted in Earth 
Orbital Space Stations and Shuttles and is therefore not oriented specifically 
to any single program. The eight Blue Book volumes are: 

Volume I Summary 

Volume II Astronomy 

Volume III Physics 
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Volume IV 

Earth Observations 

Volume V 

Communications /Navigation 

Volume VI 

Materials Sciences and Maintenance 

Volume VII 

Technology 

Volume VIII 

Life Sciences 


The results of the Blue Book review are listed in Tables A-9 through 
A- 15 of Appendix A. The experiment and subexperiment for each discipline 
are listed together with the subexperiment basic fluid requirements. (The 
tables also include materials which were identified and listed for use in 
other tasks.) Container quantities, pressures, and volumes are indicated 
when specified. Worthy of particular note is the potential use of mercury 
for the quantum effects at low temperature and zero g physics experiments, 
and a requirement in excess of 1100 kg (2500 lb) of LH 2 to support long-term 
cryogenic storage technology experiments. 

2. 2. 2 Hazardous Sortie Module Fluids 

Sortie modules include research and applications module (RAM), RAM 
support module (RSM), mission support module (MSM), and palletized 
experiment payloads which remain attached to the orbiter and are used as 
reusable space laboratories or support facilities. 

Because of the level of detail available from the current Shuttle Orbital 
Applications /Requirements (SOAR) and research and applications module 
studies, it was not possible to identify specific hazardous fluids associated 
with all program elements. However, since for normal sortie missions 
these modules will be attached to the orbiter, and the orbiter will provide 
necessary experiment attitude control and propulsion, propellants are not 
required in the^e modules. A possible exception may exist if ti e RSM or 
MSM is used to service and refuel automated payloads, in which case sig- 
nificant quantities of propellants would be required. The RSM will provide 
environmental control and life support facilities for the experiment crew 
in addition to providing facilities to support the conduct of experiments. For 
a typical seven-day experiment sortie mission, it will require fluids in the 
approximate quantities and with approximate container characteristics as 
listed in Table 2-2. 


Table 2-2. RAM Support Module Fluids for Seven-Day Mission 


Fluid 

Fluid 
Quantity 
Kg (lb) 

Container 
Volume 
M 3 (ft 3 ) 

No. of 
Containers 

LO 

310(680) 

0.23 (7. 1) 

2 

LH 

34(75) 

0. 36 (12. 6) 

2 

ln 2 

60(133) 

0.23 (8. 1) 

1 

gn 2 

4. 5(10) __ 

Not defined 

Not defined 
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Hazardous fluids other than those applicable to sortie missions which 
were identified during review of the 1971 NASA Experiment Blue Book were 
not identifiable. 

2. 2. 3 Hazardous Station Fluids 


Hazardous fluids are required by both the SD and McDonnell Douglas 
(MDAC) designs of the Modular Space Stations during the station buildup and 
normal operations phases. Station modules containing hazardous fluids for 
attitude control, electrical power generation, and pressurization will be 
delivered by the Shuttle during the buildup phase. Resupply of station sub- 
system consumables will be accomplished under the present concepts via an 
orbiter delivered cargo or logistics module. 

The SD station is planned to generate GO^ and GH£ by water electrol- 
ysis during normal operations. During buildup, it requires delivery of 
high-pressure gases on the initial modules to support subsequent buildup 
operations. After station buildup, delivery of water for electrolysis and 
GN2 for atmosphere leakage makeup via the cargo module will be the primary 
station subsystem resupply fluids. The expected fluid quantities, tank quan- 
tities, and pressures for the SD station core and power module buildup 
launches and the cargo module resupply for station subsystems are shown 
in Table 2-3. This includes fluid quantities required for station repressur- 
ization, EVA support, and 48 -hour emergency support. 


Table 2-3* Expected Hazardous Fluids - NR Modular Station Subsystems 



CORE 

MODULE 

POWER MODULE 

CARGO MODULE 


Container Characteristics 

Container Characteristics 

Container Characteristics 

Fluid 

Fluid 
Qty 
Kg (lb) 

Qty 

Vol 

M3 (ft 3) 

Fluid 
Qty 
Kg (lb) 

Qty 

Vol 

m 3 (ft 3) 

Fluid 
Qty 
Kg (lb) 

Qty 

Vol 

M3 (ft 3) 

go 2 

146(322) 

4 

.15(5.3) 

125(274) 

3 

.15(5.3) 

88(194) 

2 

.31(10.9) 





88(194) 

3 

.31(10.9) 

64(141) 

1 

.22(7.9) 

gh 2 

18(40) 

4 

.31(10.9) 

15(34) 

3 

.31(10.9) 

3.2(7) 

3 

.21(7.6) 

gn 2 




58(127) 

3 

.24(8.6) 

73(161) 
1 

6 

.31(10.9) 

All pr 

essures 2. 

06 x 

10? N/m2 (3 

7 

000 psi) . 
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On the MDAC station, significant quantities [approximately 106 kg/ 
month (233 lb/month) for three months] of N2H4 (hydrazine) will be required 
on the initial power /subsystems module launch to provide station attitude 
and maneuver control prior to the installation of control moment gyros 
(CMG's) and before the activation of resistojets which require CO2 (carbon 
dioxide) in quantities capable of being generated by the crew. High-pressure 
atmospheric supply bottles of GO2 and GN2 in significant quantities are also 
intended to be contained in the power /subsystems module. Resupply of the 
station, after initiation of the resistojet system, will require smaller 
quantities of N2H4 than those required on the initial launch, but will require 
substantial quantities of high-pressure GO2 and GN2 for atmospheric leakage 
resupply. 

2,2.4 Hazardous Automated Payload Fluids 

Automated payloads are capable of being operated in a free -flying mode 
after release from the orbiter. The automated payloads range in size from 
a 136 kg (300 lb) earth orbiting small applications technology satellite to a 
11,400 kg (25, 000 lb) high energy astronomical observatory (HEAO) in low 
earth orbit. When an upper stage vehicle is required, as for automated 
planetary payloads, the payload total weights can approach the maximum 
payload of 29, 500 kg (65, 000 lb), of which approximately 70 percent is pro- 
pellants. While propellant quantities for small satellites of the 136 kg (300 lb) 
class are not considered significant, propellant requirements for attitude 
control and orbit makeup of large low earth orbit payloads, such as the HEAO, 
can be significant. Although cryogenic oxygen and hydrogen could be used for 
propulsion for short duration automated payload missions, it is more likely 
that solid propellants and storable propellants such as cold gas GN2, mono- 
propellants such as hydrazine, A-50, hydrogen peroxide, and monomethyl 
hydrazine, and hypergolic or ignitable bipropellants will be employed. Small 
quantities of cryogenics may be required, however, to cool experiment 
sensors, as in infrared astronomy experiments. 

2. 2. 5 Summary of Hazardous Fluid Vessels in Orbiter Payloads 

Hazardous fluids identified for the upper stage vehicles, Blue Book 
experiments, Space Station, sorHe modules, and automated payloads are 
summarized in Table 2-4 together with the hazardous characteristics of 
the fluid and accountability to the payload element. 

2.2.6 Identified Hazards 


Each fluid vessel to be transported in the orbiter cargo bay is asso- 
ciated with a set of discrete hazards. This set depends on the hazardous 
properties of the fluid, the quantity of fluid, its storage conditions, its 
location in the orbiter, and the mode of operation (e. g. , whether manned 
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Table 2-4. Summary of Hazardous Fluid Vessels in Orbiter Payloads 

1 I PROGRAM ELEMENT 


CRYOGENICS 


Super fluid Helium 
Dry Ice (LCO 2 ) 


HAZARD 


UPPER STAGE 
VEHICLE 


BLUEBOOK 

EXPERIMENT 


HAZARDOUS FLUID 
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Slush Hydrogen 
Solid Cryogen 
Undefined Cryogen 
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B 

B X X X 


X XX 


°2 

N 2 

»2 

Unspecified Gas 
He 

Hydrocarbons 

Carbon Tetraflouride (CF4) 
Carbon Monoxide (CO) 

Carbon Dioxide (C0 2 ) 
Nitric Oxide (NO) 

Acetylene (HCSCH) 
Diborane (B 2 H 5 ) 

Xenon (X e ) 


X X X X 
A 

XX X 


X XXX 


XX XX 


XXX 

X 


Footnotes: A 
B 


Simple asphyxiant 
Can cause severe burns and 
tissue damage on contact 
with skin 


C • Extremely toxic when 
heated to decomposition 
X ■ Applicable or present 
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Table 2 - 4 . Summary of Hazardous Fluid Vessels in Orbiter Payloads (Ccmt) 




PROGRAM ELEMENT 1 

HAZARD 

UPPER STAGE 
VEHICLE 

BLUE BOOK 
EXPERIMENT 

OTHER 


Toxicity 

Fire 

Corrosion 

Explosive 

Agena 
Centaur 
Burner II 
Transtage 

Service Mod. /Apollo 
OOS/Tug 

Astronomy 

Physics 

Earth Observation 
Comm./Nav. 

Mater. Sci. 4 Proc. 

Technology 

Life Sciences 

Space Station (NR) 
Space Station (MDAC) 
RAM Support Module 
Automated Payload 

HAZARDOUS FLUID 

GAS (Continued) 





Sulfur Hexaflouride (SF$) 

C 


X 


Methane (CH4) 

AX X 


X 


Propane (CH3CH2CH3) 

XX X 


X 


Unspecified Combustibles 

X 


X 


Hydrogen Sulfide (H2S) 

C X X 




LIQUID 





Hydrazine (N2H4) 

1 X X X 


X X 

X X 

Nuclear Emulsion 



X 


Hydrocarbons 

X X 


X 


Trimethl aluminum (AL(CH3)3) 

XX X 


X 


Freon 

X 


X X 

- 

Mercury 

X 


X 


Phenol (C6H5OH) 

X X 


X 


Formaldehyde 

XX X 


X 


Liquid Metals 



X 


Potassium Sodium Niobate 



X 


Potassium Sodium Silicate 



X 


Solvent 





Gallium Arsenide Solution 

XX X 


X 


Liquid Gal linn 

X 


X 


Fused Silicate Solutions 



X 


Hexane (013(012)4013) 

XX X 


X 


Methanol (CH3OH) 

XX X 


X 


Pentane (CH 3 (012)3013) 

XX x 


X 


Ethanol (CH3CH2OH) 

x x x 


X 


Freon II 

X 


X 


Freon II 4 B 2 

X 


X 


Freon 21 

X 


X 


Glycol 

1 

XX X 


X 

1 



24 


SD 72-SA-0094-2 





> * 


i 

* 

r 

\ 

* 

i 


j 

j 

i 

I 


[ 

? 


f 

i 

i 


| 

! 


i 



Space Division 

North American Rockwell 


Table 2 - 4 . Summary of Hazardous c luid Vessels in Orbiter Payloads (Cont) 




PROGRAM ELEMENT 

HAZARD 

UPPER STAGE 
VEHICLE 

BLUEBOOK 

EXPERIMENT 

OTHER 

Toxicity 

Fire 

Corrosion 

Explosive 

Agena 
Centaur 
Burner II 
Trans t age 

Service Mod. /Apollo 
OOS/Tug 

Astronomy 

Physics 

Earth Observation 
Comm. /Nav. 

Mater. Sci. § Proc. 

Technology 

Life Sciences 

Space Station (NR) 
Space Station (MDAC) 
RAM Support Module 
Automated Payload 

HAZARDOUS FLUID 

LIQUID (Continued) 





IITRI ZNO Silicone (S-13) 

X x 


X 


IITRI ZNO Silicate (Z-9) 

X X 


X 


LMSC Thermatrol Tj^ 

X X 


X 


Silicone (6A-100) 





Schteldahl GT-1015 

X X 


X 


Lubricants 

X X 


X 


Hydroquinones 

XX X 




C 2 H 4 

X 




Nitrogen Tetroxide (N 2 O 4 ) 

X X 

X XX 


X 

A-50 (50% UDMH + 50% 

C X X X 

X XX 


X 

Hydrazine) 





Hydrogen Peroxide (H 2 O 2 ) 

X X X X 

X X 


X 

Monomethyl Hydrazine 

C X X X 

X 


X 
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or unmanned). In addition, further hazards may be introduced by the inter- 
action of a fluid tank and a piece of Shuttle equipment (e. g. , a water tank 
next to a high-temperature source), or by the colocation of two tanks, each 
of which is relatively safe on its own (e. g. , O 2 and H 2 tanks next to each 
other). 


Upon review of all the potential hazards, it was found possible to 
condense these into five generalized classes of hazard. For purposes of 
this study, it was found both practical and desirable to use the following 
classes as the hazard or emergency: 


1.2.001 Exposure of the orbiter crew or passengers to a 
toxic environment released from a vessel in the 
payload containing a toxic fluid. 

1. 2. 002 A fire in the cargo bay resulting from release 

and ignition of a flammable fluid in an unpressurized 
payload. 


1. 2. 003 A fire in a pressurized payload in ! le cargo bay 

resulting from release and ignition of a flammable 
fluid. 


1.2.004 A corrosive environment in the orbiter cargo bay 
resulting from leakage or rupture of a payload vessel 
containing a corrosive fluid. 

1.2.005 An explosion in the orbiter cargo bay of a potentially 
explosive payload vessel. 


The numbers refer to the hazard/emergency analyses in Appendix D of 
this report, in which these are analyzed. 


Fluids stored in pressure vessels also present an explosion hazard. 
This type of explosion hazard is not indicated in Table 2-4, because this is 
a characteristic of the storage conditions and quantities rather than of the 
fluid. Every fluid stored as a gas, or as a liquid under pressure, exhibits 
this hazard to some extent or other (see Appendix A). 


2. 3 CARGO HANDLING AND TRANSPORTATION BETWEEN SHUTTLE 
ORBITER, SORTIE MODULES, AND SPACE STATION 


The purpose of this subtask was to identify the hazards associated with 
the handling and transportation of cargo between the Shuttle orbiter, sortie 
modules, and Space Station in earth orbit, and to determine the safety 
requirements and guidelines to deal with these hazards. 
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A review of the potential missions currently envisioned for the Shuttle 
in sortie modes, and later on for the Space Station, shows that a large and 
varied range of supplies will be transported into space by the Shuttle, Much 
of this cargo will be transferred from the Shuttle orbiter (the logistics supply 
vehicle) to the user vehicle (Space Station, sortie module, satellite, or 
reusable orbital propulsion stage). Some will be transferred from the 
orbiter in modular form, e. g. , as a cargo module, as a module of a station, 
or as a prepackaged payload for a propulsion stage. Individual cargo 
packages, such as food supplies, experiments, subsystems modification 
kits, or spares and fluid resupply tanks, will in turn need to be transferred 
from some of these modules to their ultimate user location in other modules. 
In some cases, individual packages will be transferred, manually or 
mechanically, directly from the orbiter cargo bay to a user satellite or 
other spacecraft. And finally, return cargo to earth, such as data packages, 
empty tanks, waste material, and replaced components will be returned in 
similar ways from the user vehicles to the orbiter for return to earth. 

This subtask is concerned with operations of all these cargo handling 
and transfer operations that involve discrete individual pieces of cargo. 

These transfers involve mainly the orbiter, sortie modules, and the Space 
Station. The transfer of complete modules or complete Shuttle payloads, 
such as upper stage vehicles and payloads, is not considered here (see 
Sections 2. 1 and 3. 0). The transfer of bulk quantities of propellants for the 
re-fuelling of space-based propulsion stages is not covered here. The design, 
operational, and safety aspects are being evaluated in a concurrent study at 
SD, In-Space Propellant Logistics and Safety Study, Contract NAS8-27692. 

The cargo that may be handled and transferred is identified in 
Section 2. 3. 1; the traffic model (what cargo, from which vehicle, and to 
which vehicle) in Section 2. 3. 2; and potential cargo handling and transfer 
methods in Section 2. 3. 3. The potential hazards are identified in 
Section 2. 3.4, and the remaining sections contain some specific supporting 
analyses. The hazards /emergency analyses and the resulting requirements 
and guidelines are contained in Appendix D of this volume, and in Volumes IV 
and V of this report. 

2. 3. 1 Candidate Cargo 


The candidate cargo materials to be handled and transferred between 
orbiter, sortie modules, and Space Station were de: ved from the logistics 
resupply requirements developed in the NR Phase B Space Station study. In 
this study the station was planned to complete the experiments contained in 
the NASA Experiments Blue Book, as well as logistically supply a crew of 
6 to 12 men for up to 10 years in earth orbit. On-board experiments, 
attached and detached experiments modules, and free -flying satellite support 
were included in the operations. Since the current missions for the Shuttle 
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sortie missions are less ambitious than this, both in terms of experiments 
to be carried out and of number of man-months in orbit, the candidate cargo 
manifest for the Space Station includes all individual cargo (excluding 
satellites and propulsion stages) currently being considered for the Shuttle, 
sortie, and station programs. 

The candidate list of cargo which was made up to define the cargo 
module characteristics extracted from Space Station Program Phase B 
Definition (Cargo Module Definition, DRL-47, North American Rockwell, 

Space Division, 3D 70-5040, MSC-00759, January 1971), is listed in 
Table 2. f, Candidate items which are inherently or potentially hazardous 
are iden: .. eu in this list by an asterisk. 

A more complete identification of hazardous payload fluids, together 
with their hazardous characteristics, is included in Section 2.2 of this 
volume. In addition, nuclear safety considerations arise from some radio- 
active materials needed for specific experiments. Specific radioactive 
materials identified from the NASA Blue Book are discussed in Appendix A. 

2. 3. 2 Cargo Handling and Transfer Model 

Table 2-6 indicates the cargo transfer flow between spacecraft 
elements. The letters H or N indicate that cargo, hazardous or nonhazardous, 
respectively, is to be transferred from the element in the left-hand vertical 
column to the corresponding element in the top horizontal row. This analysis 
follows from the definition of the various program elements and from the NR 
Phase B Space Station operational model used in Section 2. 3. 1. In accordance 
with conclusions reached in the hazards /emergency analysis of this section, 
it has been assumed in this model that no hazardous cargo will be carried in 
or through the orbiter crew compartment or airlock. The analysis has shown 
that all cargo can be transported to space and transferred as required without 
violating this assumption. 

2. 3. 3 Methods of Cargo Handling and Transfer 

Many methods are available for the transfer of cargo. The main con- 
cepts for shirtsleeve transfer are shown in Figure 2-1, based on classifi- 
cations defined by MDAC. These range from strictly hand-carry methods 
with no mechanical assists, to trolley systems that employ cages and remote 
controls. The MDAC concept of a cable guide system is categorized under 
manual-aided methods. 

For solid cargo transfer between a pressurized environment and an 
unpressurized environment, such as camera film reloading and retrieval 
from an unpressurized pallet, an airlock would be required. In addition, 


28 


SD 72-SA-0094-2 



Space Division 

North American Rockwell 


Table 2-5. Space Station Logistics Resupply 


Cargo Item 

* Liquid hydrogen 

* Liquid oxygen 

* Liquid nitrogen 

* Liquid helium 

* Miscellaneous cryo 

* Atmosphere 

* Argon 

* Neon 

* Helium 

* Carbon dioxide 

* Oxygen 

* Nitrogen 

* Calibration gas 

* Miscellaneous cryo 
Water-animals 

Water-no metallic content 
Water-sterile triple 
distilled 

Photo process chemicals 

Emulsion 

Chemicals 

Film- 35 mm 

* Hydrazine 
Life support 
Service items 
Station spares 


* Hazardous Items 


Cargo Item 

Film-35 mm cine 
Film-70 mm 
Film- 150 mm 
Film-225 mm 
Film 16 mm 
Film-9 x 14 mm 
Cultures (food) 

Specimens and food 
Food (animals) 

Tape, video 
Tape, audio 
Tape and microfilm 
Magnetic tapes 
Specimens spares 
Logistics 

Micrometeroid collector 

Ballooms 

Dry samples 

Diary, logistics 

Lab supplies 

Physiological Measurement 
supplies 
Accessories 
Film plates 
Probes 

Waste (return) 
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Table 2-6. Cargo Handling and Transfer Model 
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Legend: N = Non -hazardous cargo (film, tape, service items) 

H » Hazardous cargo (propellants, hazardous fluids and materials) 
- * Not applicable or no cargo transfer 

Notes: * Considers potential payload us: of EOS reserve propellants 

** Considers potential use of EOS propellants stored in cargo bay 
to extend EOS capability 
+ EOS » Earth Orbital Shuttle (orbiter) 
x RAM ■ Research Applications Module (sortie module) 
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intravehicular and extravehicular activity (IVA and EVA) would be involved 
if the cargo transfer were performed manually. Use of manipulators attached 
to the orbiter, such as shown in Figure 2-2, small specialized manipulators 
attached to a manned payload module, and other mechanisms controllable 
from a shirtsleeve environment are being considered to avoid IVA and EVA. 
The small specialized manipulators would provide dexterity, positioning 
accuracy, and control capability in excess of the larger Shuttle manipulator. 

Two basic alternatives available for the transfer of fluids are bulk 
transfer in self-contained tanks, and plumbed transfer in which fluids are 
pumped from one fixed container to another across an interfacing element 
such as a docking port. 

2.3.4 Identified Hazards 

Potential hazards which can occur during cargo handling and transfer 
operations were identified by considering possible combinations of the 
following: 

• Candidate cargo, both hazardous and non-hazardous, from 
Section 2. 3. 1 . 

• The cargo handling and transfer model of Section 2. 3. 2. 

• The different methods of cargo handling and transfer discussed 
in Section 2. 3. 3. 

The hazards or emergencies were considered to arise from two 
sources, as follows: 

• Failures or accidents related to hazardous cargo items from 
Section 2. 3. 1 in otherwise normal handling and transfer operations. 

• Malfunctions, failures, or accidents related to the cargo handling 
and transfer mechanisms, including human errors, considering 
both hazardous and nonhazardous cargo. 

The resulting hazards and emergencies were grouped into five 
generalized hazard/emergencies, which cover all the individual situations 
to the level of detail appropriate to this study. These hazards/emergencies 
are: 


1. 3. 001 Spillage or leakage of hazardous fluid or material 
during manual transfer in pressurized modules. 


32 


SD 72-SA-0094-2 





r 

yt 


r 


r 


?! 





Space Division 

North American Rockwell 


i 

I 


i 



Figure 2-2. Typical Orbiter Showing Use of Manipulators 
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1. 3. 002 Spillage or leakage of hazardous fluids or materials 
during mechanically assisted or remote transfer in 
pressurized modules. 

1.3.003 Spillage or leakage of hazardous fluid or material 
during remote transfer* in unpressurized area. 

1.3.004 Failure of transfer mechanism and/or loss of control 

of cargo during transfer in pressurized or unpressurized 
areas. 

1. 3. 005 A radioactive environment in a sortie module or Space 

Station, resulting from exposure or escape of radioactive 
material during transfer and handling of radioactive 
materials. 

The numbers refer to the hazard/emergency analyses in Appendix D of 
this report, in which these were analyzed. 
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2.4 CONCLUSIONS AND RE COMMEND AT IONS 

The main outputs of this task are the safety requirements and guide- 
lines which result from the hazard/emergency analyses. The hazard/ 
emergency analyses are contained in Appendix D, and include the require- 
ments and guidelines. The requirements and guidelines are also presented 
in Volumes IV and V of this report, arranged under the applicable vehicle 
(Shuttle orbiter, sortie module, upper stage vehicles, or Space Station). 

Conclusions from this task, based on the hazard/emergency analyses, 
and supported by the analyses in Appendix A, are presented in the following 
paragraphs. 

• The orbiter design is extremely sensitive to even small 
explosions in the cargo bay. Uncontained explosions equivalent 
to as little as 5 g (0.01 lb) of TNT may result in exceeding ^ 
the structural design limit of the cargo bay structure (14 kN/m , 

2 psi) from blast overpressure. By comparison, a hand grenade 

is equivalent to 10 g (0.025 lb) of TNT and a fully loaded 
Centaur to approximately 2700 kg (6000 lb) of TNT. 

• Any structural failure of a loaded upper stage vehicle while in 
the orbiter cargo bay which results in large leaks of both 
fuel and oxidizer will almost certainly be catastrophic to the 
orbiter. 

t The energy content of even the smallest liquid propellant upper 
stage vehicle if released suddenly, is far more than can be 
tolerated by the orbiter. The vehicle accelerations caused by 
the reaction of the leaking fluids will ensure mixing, and an 
ignition source will almost certainly be present during the 
process of structural failure. A chemical reaction therefore 
can be expected, and this will probably propagate faster than 
the rate at which the fluids can disperse in space, even with 
the cargo bay doors open. Every effort must therefore be made 
to prevent structural failure of upper stage vehicles while i.: 
or near the orbiter. Remedial measures are not considered 
practical, and have not been recommended. 

• If the leakage of large quantities of payload fluids into the 
orbiter cargo bay is considered credible during boost or while 
the orbiter is in orbit with the cargo bay doors closed, then 
additional venting of the cargo bay beyond that provided by the 
orbiter for normal venting may be required to avoid potential 
overpressurization of the cargo bay. This may need to be 
considered and provided for individually for each payload which 
contains large quantities of fluids. 
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The chemical and physical behavior of gases, liquids, and cryogenic 
fluids is not well understood in the zero-g and zero or very low 
pressure environment encountered in space. An important area of 
uncertainty as to the potential effects of leaking fluids therefore 
exists, and the severity, or even the possibility, of hazards such 
as combustion, chemical reaction, corrosion, attachment of frozen 
gases to the structure, etc., cannot be properly evaluated at 
present. In the hazard/emergency analyses in this task, the worst- 
case assumption was made that effects which are theoretically 
possible, such as sustained combustion of leaking hypergc 1 ics, will 
indeed occur. 


Launching a Space Station or sortie modules pressurized at 
1 atmosphere can present the orblter with a considerable hazard. 

A typical station module of 140 m3 (5000 ft^) volume has an 
explosive potential of 10 kg (22 lb) TNT equivalent. This arises 
because of the energy which could be released in the vacuum 
environment of space from the contained atmosphere. If this 
energy is instantaneously released, e.g., by structural failure 
of the module, the resulting blast and shrapnel would cause 
catastrophic damage to the orbiter. A rapid release of the 
contents of the module when the cargo bay doors are closed, wi:h- 
out any blast effects, could still pressurize the cargo bay to 
about 20 kN/m^ (3 psi) , or about 50 percent above its present 
design limit. Rapid release of the module contents when the cargo 

bay doors are open, or a slow enough relea so that the orbiter 

cargo bay vent system can adequately relieve the pressure, would 
not result in damage. 


Many different fluids, of varying degrees of hazard and in varying 
quantities, are currently planned for transportation to and from 
space by the orbiter and for use in sortie modules and on the Space 
Station. While many general safety requirements and guidelines 
have been identified, and an adequate level of safety appears 
possible to both the personnel involved and the spacecraft, more 
specific safety features than defined in this study must await a 
more detailed definition of the spacecraft, payloads, and their 
planned operations than is currently available. 

Cargo handling in space presents so-re specific hazards associated 
with the zero-g environment and with the limited remedial and 
escape provisions available. In addition to normal safety 
features required on the ground, specific requirements and guidelines, 
such as tethering of heavy cargo at all times, double-containing 
hazardous cargo, and providing mechanical assist where propulsive 
forces are possible, have been identified. 
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The main recommendations from this task are contained in the safety 
requirements and guidelines developed during the hazard/emergency analyses. 
Specific top-level recommendations arising from these and from supporting 
analyses are described in the follow!. % paragraphs. 

• The cargo bay doors on the orbiter should be opened as early as 
possible and closed as late as possible while in orbit when hazardous 
fluids or large quantities of propellants are carried in the orbiter 
cargo bay. This minimizes hazards from leakage, explosions, 
contamination, etc. 

• The liquid contents of upper stage vehicles being returned to 
earth should be dumped to space before deorbiting the orbiter. 

The purpose is to avoid the possibility of an uncontrolled increase 
in internal upper stage vehicle pressure during reentry or on the 
ground, possibly from an unexpected heat leak. The acceptable 
l-'vel of residual liquids and gas before returning to earth should 
be such that an insulation failure, leakage, or a crash landing 
will not result in overpressurization, lire, or a similar accident. 

• The capability should be provided for the orbiter to deorbit, reenter, 
and land with a fully loaded upper stage vehicle. This condition 
may arise from a failure to deploy the upper stage vehicle (perhaps 
because . ack of time following an abort situation) and failure to 
dump upper stage vehicle propellants. While such a combination 

of events may be quite improbable, the consequences could be 
catastrophic, and the condition should be designed for as being 
credible. It is not recommended that reduced factors of safety be 
considered for this situation, but the reentry and landing load 
criteria should be less severe than the norn.il desig • cases (e.g., 

1 o conditions instead of 3a) for this maximum weight condition, 
to avoid combining unrealistically severe worst-case design cases. 
The pilot in such situations will undoubtedly take extra care to 
avoid a hard landing. 

• Upper stage vehicles must be man-compatible; i.e., man-rating 
safety criteria must be applied to systems and functions of the 
upper stage vehicle which could create a hazard to the orbiter 
while the upper stage vehicle is in or near the orbiter. These 
criteria, which are not currently defined, must be defined 
consistently for the Shuttle and for upper stage vehicles. One 
possibility is that a flight test of the upper stage vehicle be 
performed in the Shuttle using fluids which are physically 
similar to the propellants but which do not react chemically. 

For example, may be used to simulate Such a 

flight test may^be cost effective because it can also replace 
much of the ground qualification testing. 
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* Because of the criticality to the orbiter of a failure of a 
pressurized sortie or Space Station module in the cargo bay 
while in space , two areas should be studied further: 

Identify and eliminate failure modes which can cause major 
structural or other failures of pressurized sortie or Space 
Station modules during boost, on-orbit, and reentry phases. 

Consider venting the modules to space while they are still 
in the cargo bay, to reduce the explosive potential. The 
necessary atmosphere can be taken up in a number of high- 
pressure tanks within the module. This has the effect of 
reducing the potential for damage, both by reducing the 
energy content per tank, and by reducing the pressure 
that can be generated in expanding the gas from a ruptured 
tank to the cargo bay volume. 
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2. 5 RESIDUAL HAZARDS AND HAZARDS RESOLUTION 

This section summarizes the hazards identified in Sections 2. 1 to 2. 3 
and their resolution, and presents the resulting requirements for supporting 
research and technology. 

2.5.1 Resolution of Identified Hazards 


The disposition of the 25 hazards identified in Sections 2.1 to 2.3 is 
shown in Table 2-7. This shows the judgments of the investigation as to 
which hazards would be resolved by implementation of the recommended require- 
ments and guidelines, and which are residual hazards; which of the residual 
hazards represent acceptable risks; and which require supporting research and 
technology (SRT) or must at present be considered unresolved safety issues. 
This hazards resolution has been performed in accordance with the procedures 
and definitions described in Appendix D. 


2. 5. 2 Supporting Research and Technology Requirements 

The supporting research and technology requirements resulting from 
the areas of uncertainty of this task are listed below (the main originating 
hazards /emergency are indicated in parenthesis): 

• Tne behavior of pressurized cryogenics, gases, and liquid as 
they explode into vacuum or into a large evacuated container 
should be understood. The purpose would be to determine the 
explosive contents under different conditions and the damage that 
can result. The subject can initially be studied analytically and 
the key results verified by laboratory tests (1. 1001, 1.2. 005). 

• Current and new techniques for designing, constructing, and 
operating tanks which can fail under pressure without producing 
shrapnel should be pursued (1. 1001, 1. 2. 005). 

• The use of strain measurement..' on pressurized tanks should be 
explored as a means of detecting impending failures on the tanks. 
This method has the potential advantage over conventional methods 
of monitoring temperatures and pressures of the contents that it 
can detect failures of the tanK due to imperfections or weaknesses 
of the tank, as well as overpressurization (1.1001, 1.2.005). 

• The potential for chemical combination of mutually reactive fluids 
and decomposition of monopropellants in a zero-g and low to 
zero-pressure environment should be investigated to evaluate 
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Table 2-7. Hazards Resolution 


Hazard No. 
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1.1.001 Explosion/rupture of a pressurized | 
container In an upper stage vehicle 
Inside or near orbiter. 

1.1.002 Combination of mutually reactive 
upper stage vehicle fluids lead- 
ing to explosion or fire inside 

or near orbiter. 


1.1.003 


1.1.004 


1.1.005 


1.1.006 


l.i.007 


1.1.008 


1.1.009 


l. 1.010 


Inadvertent detonation of explos- 
ive charge on upper stage vehicle 
inside or near orbiter. 

Rapid decomposition of mono- 
propellants located in or 
leaking from the upper stage 

vehicle while inside or near 
orbiter. 

Uncontrolled combustion in active 
upper stage vehicle reaction 
control engines while near the 
ojrbiter* 

Leakage of corrosive fluids from 
upper stage vehicle tanks while 
inside the orbiter. 

Inadvertent start of an upper 
stage vehicle main or reaction 
control rocket engine while in- 
side orbiter cargo bay. 

Inadvertent separation of an 
upper stage vehicle attach point 
while in the orbiter. 

Loss of attitude/ translation 
control of upper stage vehicle 
upon release from orbiter. 

Hangup of upper stage vehicle 
during release from orbiter. 


SD 72-SA-0094-2 










Space Division 

North American Rockwell 


r 

K 

e 

? 

\ 


Table 2-7. Hazards Resolution (Cont) 



Hazard No. 

Hazard 

' 

1 — 


— 

1 1 



Resolved 

Residual 

Acceptable 

Risk 

SRT Require- 
ments 

Unresolved 

Safety 

Issue 

1.1.011 

Rupture of common bulkhead tanks in 
upper stage vehicle while in or 
near orbiter. 


X 

X 



1.1.012 

1.1.013 

1.1.014 

Loss of pressurization in pressure 
stabilized upper stage vehicle while 
in or near orbiter. 

Inability to dump propellants or 

pressurants in retrieved upper stage 
vehicle. 

Inability to dump upper stage vehicle 
propellants or pressurants during 
orbiter abort. 

X 

X 

X 

X 



1.1.015 

Inability to close cargo bay doors 
after retrieval of upper stage 
vehicle because of interference 
with upper stage vehicle. 


X 

X 



1.2.001 

Exposure of the orbiter crew or 
passengers to a toxic environment 
released from a vessel in the payload 
containing a toxic fir Id. 


X 

X 



1.2.002 

A fire in the cargo bay resulting from 
release and ignition of a flammable 
fluid in an unpressurized paylaod. 


X 


X 

! 

1.2.003 

• 

A fire in a pressurized payload in the 
cargo bay resulting from release and 
ignition of a flammable fluid. 


X 


X 

i 

| 

1.2.004 

A corrosive environment in the orbiter 
cargo bay resulting from leakage or 
rupture of a payload vessel containing 
a corrosive fluid. 


X 


X 
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Table 2-7. Hazards Resolution (Cont) 


IEB350EBB 

Hazard 
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Risk 
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Unresolved 

Safety 
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‘ 

1.2.005 

An explosion In the orbiter cargo bay 
of a potentially explosive payl&ad 
vessel. 

1 

X 


X 

X 

1.3.001 

1.3.002 

1.2.003 

1.3.004 

1.3.005 

Spillage or leakage of hazardous fluid 
or material during manual transfer in 
pressurized modules. 

Spillage or leakage of hazardous fluid; 
or materials during mechanically 
assisted or remote transfer in 
pressurized modules. 

Spillage or leakage of hazardous fluid 
or material during remote transfer in 
unpressurized area. 

Failure of transfer mechanism and/or 
loss of control of cargo during 
transfer in pressurized or un- 
pressurized areas. 

A radioactive environment in a sortie 
module or space station, resulting 
from exposure or escape of radioactive 
material during ransfer and handling 
of radioactive materials. 

5 

X 

X 

X 

X 

i 

i 

X 

X 

X 

! 

1 

X 

X 

j 
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how severe this hazard is. Some insight can be gained by 
theoretical studies, but full confidence would require small-scale 
laboratory tests in simulated or actual zero-g conditions. For 
monopropellant decomposition, the catalytic effect of different 
spacecraft materials should be investigated, as well. This would 
require valid pressures, temperatures, and concentrations, but 
the zero-g environment could probably be dispensed with except 
as a final verification (1.1. 002 and 1 . 1.003). 

The behavior of corrosive fluids in zero g should be investigated 
to determine how serious the hazard of a leaking corrosive fluid 
could be, and to determine practical protection methods and 
remedial measures. Means for detecting the location of the 
corrosive fluid or of the corrosive action should also be investi- 
gated. This research should cover the range of pressures from 
full spacecraft pressures down to a vacuum. A particular point 
to be investigated should be the behavior of corrosive fluids which 
are frozen in a space environment and thaw out and become more 
active upon return to an earth environment (1. 1006, 1.2.004). 

The flammability and chemical reactivity of spacecraft and payload 
materials under low pressure conditions representative of fluid 
leakage into the orbiter cargo bay should be investigated. The 
reactive gases should be fluids such as oxyge .*, hydrogen, N 2 O 4 , 
etc. , which may be carried as propellants, cargo, or experiment 
fluids. The purpose would be (a) to understand the mechanics and 
dynamics of chemical reactions under zero-g and low-pressure 
conditions, and (b) to map areas of flammability and reactivity in 
terms of materials, pressures, temperatures, etc., for use as a 
guide in materials selection for forthcoming spacecraft ( 1 . 2 . 002 ). 

Means for detecting and suppressing fires in a zero-g pressurized 
environment should be investigated. This research should include 
understanding of ignition, heat transfer, and flame propagation; 
effects of air currents due to forced convection and low-g accel- 
eration; and the convection effects of applying fire extinguishers to 
the fire. Both manned and unmanned situations should be con- 
sidered. The investigation should consider a broad systems 
approach to the problem so as to lead to practical recommendations 
for space applications. Tests should be considered for the Sky lab 
program to supplement the current proposed effort (1. 2. 003). 

Means should be developed for locating spilled hazardous fluids 
and materials in a zero-g manned environment and for neutralizing 
or collecting and disposing of these (1. 3. 001, 1. 3. 002). 
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3.0 SHUTTLE TO SPACE STATION DOCKING OPTIONS 

The Space Station Program Phase B Definition studies identified a concern 
as to the best way to effect docking between the shuttle orbiter and the space 
station. The safety aspects of bringing these two large and massive vehicles 
together were a prime consideration in the suggested docking methods. The 
safety issues became more acute when the modular space station was considered, 
because of the more frequent logistics resupply cycle of approximately once 
per month in which a module is exchanged, ^ id because of the assembly opera- 
tions, during which the space station is built-up a module at a time. This 
involves many docking operations, many of them with an unmanned vehicle 
during station build-up. Compared with the modular space station, the 10 m 
(33 ft) diameter station was to be supplied logistically on a 3 to 6 month 
cycle, and only in the initial docking was the station unmanned. 

Among the systems that have been considered for docking are: 

• The direct docking of the shuttle orbiter to the space 
station, as in the Apollo Program. 

« The use of manipulators, on either the orbiter or station, 
to effect a more mechanically determinate docking maneuver, 
and at a much lower contact velocity whan is practical with 
direct docking. 

• An extendable soft-dock system which provides a larger dis- 
tance between the docking vehicles at initial contact, and 
reduces the docking loads through the flexibility of the 
system, 

• Free-flying and docking the individual space station or other 
modules between orbiter and station, so as to avoid the close 
proximity of orbiter and station. The station and orbiter 
station-keep at some distance from each other. 

The purpose of this task was to identify, analyze and recommend 
resolution of the hazards involved in the suggested methods for docking 
the orbiter to the modular space station; and to make recommendations as 
to the preferred docking methods from the safety point of view. 

Three kinds of operations were considered, as follows: 

• Assembly of modular space station. This includes all phases from 
the assembly of the two initial unmanned modules, through build-up 
to a fully manned operational station. 

• Normal resupply docking. This consists of the periodic routine 
logistics bringing up and docking of resupply or new modules to 
the station, and the undocking and return to earth of empty or 
otherwise unwanted modules. 
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• Emergency docking. A situation has occurred which makes the 
docking substantially different and introduces additional hazards. 

The comparison of the various docking options was divided into two 
essentially uncoupled trade-offs. One trade-off was between three docking 
systems, and the other between two docking modes. The three docking systems 
are: 

• Direct docking system 

• Extendable tunnel docking system 

• Manipulator docking system 

The two docking modes are: 

• Orb iter to station docking mode 

• Free-flying module docking mode 

The hazards identified in this task, and the resulting analyses, are appli- 
cable to any combination of docking vehicles which use the docking systems and 
modes considered here, providing at least one of the vehicles is manned. The 
comparisons and evaluations of the systems and modes, and the conclusions and 
recommendations reached, however, cannot be applied to all such vehicle com- 
binations without careful re-evaluation. The reason is that the effects and 
criticality of the hazards may differ according to the configuration, size, 
mass, control systems, and other features of the vehicles. The further these 
features vary from the orbiter, space station and individual free-flying mod- 
ules considered here, the less the confidence that can be placed on the appli- 
cability of the results and conclusions. 

Further differences which may invalidate the results of this task arise 
when additional hazards exist because of the nature of the vehicles. For 
example, when one of the docking vehicles is a propulsion stage (e.g., a tug) 
or contains large quantities of propellants (e.g., a propellant depot), hazards 
associated with propellant slosh, leaks, etc., must be additionally considered. 
Forces due to propellant slosh during docking, for example, negligible on the 
orbiter (while in orbit) , the sortie modules and the space station compared to 
the docking loads, and have not therefore been considered to produce any hazard 
during docking. Another example is a reusable nuclear shuttle, which poses 
nuclear radiation hazards. For such vehicles, the conclusions of this task 
must be re-assessed. 
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The analyses are presented as follows : 

Section 3.1 The docking systems and modes considered and described 
Section 3.2 The potential hazards associated with docking are identified 

Section 3.3 The docking system j are compared and evaluated 
Section 3.4 The docking modes are compared and evaluated 
Section 3.5 Emergency docking is considered 

Section 3.6 The conclusions and recommendations of the task are presented 

Section 3.7 The identified hazards are resolved according to procedures 
described earlier. 

Supporting analyses are presented in Appendix B, and hazard/emergency 
analyses in Appendix D. The resulting requirements .ind guidelines are contained 
in Volumes IV and V. 
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3.1 BASELINE MODEL 

The baseline model described in this section illustrates the features 
of the three docking systems, the two docking modes, and the assembly, 
normal resupply docking and emergency docking operations which were consi- 
dered during this task. This baseline model specifically describes features 
pertinent to this task. To place the docking operations in the context of 
the wider perspective of the space program being considered, the reader is 
referred to the baseline model in Section 1.4. 

While the descriptions in this baseline model are fairly definite, a 
conscious attempt has been made to describe those features which are signifi- 
cant in identifying the differences between the various docking systems and 
inodes, particularly as they affect the safety issues. A section has been 
added at the end of each sub-section which describes possible variations 
which would not affect the safety trade-offs and conclusions. Such varia- 
tions should be considered as typical only, and not exhaustive. 

3.1.1 Direct Docking System 

The direct docking system involves the approach of the two docking 
vehicles right up to each other so that the integrally attached docking 
mechanisms can make contact for initial capture. The system is character- 
ized by the use of the propulsive capability of one of the mating vehicles 
to effect final closure and docking contact and a relatively short and stiff 
Impact attenuation stroke of the docking system. Typically, this stroke is 
approximately 0.3 m (10 in) or less. 

The NR and MDAC docking system concepts developed in the Space Station 
Phase B studies are direct docking systems. These are shown in Figure 3.1-1. 
Both systems are similar in that they are structurally integral with the 
docking vehicles. They employ a docking ring or frame with vehicle alignment 
features, docking interface seals, capture latches, impact alternators, equip- 
ment for retracting the mated vehicles after capture, and capability for 
rldigizing the docking interface. Although the attenuation stroke capability 
may be varied by the design, both of tb* se use the short stroke characteristic 
of direct docking systems. 

The use of the direct docking system is illustrated in Figure 3.1-2 
for the orbiter to station docking. This may occur via an intermediate payload 
to the modular space station, as shown in the top illustration in which the 
orbiter is delivering a module to the station; or directly at the orbiter 
docking interface, as in the lower illustration, in which the orbiter is 
retrieving a module for return to earth. Direct docking may also occur when 
a free-flying module docks either to a station or to an orbiter. 

The direct docking system requires the dissipation of relatively large 
energy levels because of the coarse velocity control expected for propulsive 

maneuvers of the large masses involved. 
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Figure 3.1~1* Direct Docking System Concepts 
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3.1.2 Extendable Tunnel Docking System 

The extendable tunnel docking system uses an extension mechanism of some 
kind so as to extend the docking mechanism on one of the two docking vehicles 
some distance from the vehicle before effecting initial contact and capture, 
and is then retracted to draw the two vehicles together for rigidizing. The 
distinguishing features of the extendable tunnel docking system are that it 
provides a long separation distance of the two vehicles at the instant of first 
contact, it provides stability after capture and during draw down and affords 
a long storke, low stiffness attenuation capability. Although the system is 
called an extendable tunnel system because the particular concept analyzed 
uses an inflatable extendable tunnel, the system may use other means for pro- 
viding the extension and stiffness. Mechanical linkages, and hydraulic, 
electrical or mechanical actuation could be used. The important features are 
the relatively long extension, and adequate bending and torsional stiffness. 

One extendable tunnel decking system concept adapted from a concept con- 
sidered for the Apollo, is shown in Figure 3.1-3. It employs a docking port 
attached to one end of an accordian-like bellows tube, extendable to approx- 
imately 3 m (10 ft) in length, the other end of which is attached to one of 
the docking vehicles. The stroke attenuation capability is approximately 10 
times greater than for direct docking systems. The tunnel consists of a 
double walled bellows which is fully retractable to a locked position for 
stowage during non-docking orbital operations. Deployment of the tunnel for 
docking operations consists of extending the bellows from its retracted posi- 
tion by pressurizing the volume contained between the double walls at a rela- 
tively low pressure. Docking is performed with the tunnel fully deployed. 

The impact attenuation capability is obtained from release of gas through 
restrictive orifices during compression of the tunnel. Reel mechanisms or 
equivalent devices retract the tunnel during the rigidizing procedure after 
capture. Pressurization of the tunnel after rigidizing and during docked 
operations is not necessary because the tunnel is outside the docking seals. 

A version of this docking system was designed at NR for the Apollo in 
1963, and tested as part of the final evaluation and selection of the docking 
system. It was one of four extendable systems designed and tested for this 
purpose. Tests in two-dimensional simulated docking of this system, which 
had a 75 cm (30 Inch) diameter tunnel, and extended to approximately 3.7 m 
(12 ft), showed that it was feasible, and had no major problems. The other 
three extendable systems consisted of a small (10 cm, 4 inch) inflatable 
tunnel, and two extendable stem devices; these three systems generally 
encountered control problems due to insufficient stiffness, and required use 
of the reaction control system to assist in damping the lateral motions. 

These four extendable systems were compared with three direct docking 
systems. The probe and drogue system selected for the Apollo was one of these 
three direct docking systems. 

The extendable tunnel system can be used in two different methods. In 
the first method, illustrated in Figure 3.1-4, the docking system is first 
fully extended, and initial contact and capture are effected by propulsive 
maneuvering of the whole vehicle. In the second method, illustrated in Fig- 
ure 3.1-5, the two vehicles station-keep at a relatively close distance 


51 


SD 72-SA-0094-2 






Space Division 

North American Rockwell 


REEL MECHANISM 
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before the docking system is extended, and initial contact and capture are 
effected by extending the docking system relative to the stationary vehicle. 
The first method requires the docking system to absorb all of the kinetic 
energy of the moving vehicles, whereas in the second method this energy has 
been taken out by the propulsion system, and the docking system need only 
absorb the energy of the moving docking system itself. The first method, in 
which the system is first extended and the whole vehicle moves to dock, was 
generally considered in the analyses that follow, as this poses the more 
stringent safety issues. The results of the analyses, and the conclusions, 
are applicable, however, whichever method is used. 

3.1.3 Manipulator Docking System 

The manipulator docking system is characterized by the use of a manipu- 
lator on one of the docking vehicles to effect capture of the other one and 
to bring the two vehicles together for docking, latching and rigidizing. 

The particular features which make the manipulator docking system different 
from the other systems are: 

(a) The two docking vehicles station keep at some stand-off distance 
before docking. 

(b) A control system is used to deploy the manipulator and effect 
initial contact and capture of the other vehicle. 

(c) The manipulator is controlled to bring the two vehicles together 
at a low controlled velocity to effect alignment and latching 
of the docking hatches. The energy attenuation requirements are 
low.* 

(d) The manipulator has many degrees of freedom in articulation, so 
that it can maneuver the two vehicles through relatively complex 
positions. 

It should be noted that the first three items abova are also character- 
istic of the extendable tunnel docking system when used in the method with 
the vehicles station keeping and the docking system effecting capture and 
closure. It is only the last feature, the complexity of the manipulator, 
that distinguishes the manipulator system from that particular version of 
the extendable tunnel system. 


A typical manipulator configuration is shown in Figure 3.1-6. This 
consists of a multi-jointed mechanical aram approximating 20 m (60 ft) in 
length attached to one of the docking vehicles. It has a shoulder, elbow 
and wrist, whose functions and articulation correspond with the same parts 
of a human aram. A variety of specialized tools can be attached to the wris«- 
to perform the specific functions of each mission. 
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One concept for integrating the manipulator into the orbiter, result- 
ing from NR Phase B studies, is shown in Figure 3.1-7. Features include two 
manipulators with peripheral illumination, visual (video) and operating aids, 
and a manipulator operator station in the orbiter for manually controlling 
or observing automatic control of the manipulator. The docking functions 
have generally been conceived as being performed by either manipulator on 
its own, the second one providing a backup function. The manipulators are 
normally stowed along the length of the cargo bay, and are protected from 
the boost and re-entry environments by the cargo bay doors. 

For practical nomenclature purposes, the manipulator or manipulators 
xre assumed to be on the shuttle orbiter in the remainder of this task. 

The results and conclusions apply whatever vehicle the manipulators are on, 
however; in which case wherever the term "orbiter" is used, this should be 
replaced by "the vehicle with the manipulators." 



Figure 3.1-7. NR Phase B Orbiter with Manipulators 
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Three basic methods can be used for manipulator docking. These are, 
respectively: 

o Station keeping method 

o Dual dock method 

o Dual manipulator method 

and are illustrated in Figure 3.1-8. 

The station keeping method requires that the orbiter and the target 
vehicle station keep in an attitude hold mode within reach distance of the 
manipulator. While maintaining the position, the orbiter uses the mani- 
pulator to remove the payload module from the cargo bay and maneuvers it 
to effect docking with the target vehicle. Removal of a module from the 
target vehicle would be similarly accomplished. 

The dual dock method requires manipulator capture of the target vehicle. 
In this technique, the orbiter and target vehicle station keep within reach 
distance of the manipulator, which reaches out, captures the target vehicle, 
and retracts it to a docking position on an orbiter docking port. After 
this operation is accomplished, the orbiter employs the manipulator to 
remove the payload module from the cargo bay and attach it to the selected 
docking port on the target vehicle. Removal of a module from the target 
vehicle requires, as before, capture and docking of the target vehicle 
prior to module removal by the manipulator. 

The dual manipulator method combines features from the other two 
methods, and requires two manipulators, as the name implies. One manipulator 
is used to capture the target vehicle, as in the dual dock method. Instead 
of docking the target vehicle to the orbiter, however, the first manipulator 
is used to hold the target vehicle in a fixed position. The second mani- 
pulator is now used as in the station keeping method to deploy and dock 
the mdoule to the target vehicle. The target vehicle is attached to the 
orbiter, but because of the flexibility of the manipulator, more loosely 
than in the dual dock method. 

In all three of these methods the undocking is performed in the reverse 
order of the docking. 

All three methods have been considered in the study task. 

3.1.4 Orbiter-to-Station Docking Mcde 

Two different modes of docking are possible with each of the docking 
systems described earlier. These are the orbiter to station docking mode 
and the free-flying module mode. 
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The orbiter to station docking mode is characterized bv the docking 
of the orbiter to the station as illustrated in Figure 3.1-9 or vice versa. 

This means that the two vehicles approach each other to within the distance 
required by the particular docking system used, i.e., within 0.3 to 20 m 
(1 to 60 ft) . The orbiter may have a module deployed so that the docking 
interface is between the attached module and the space station (Figure 
3.1-2A), or the docking may be dire^ly to the orbiter docking interface 
(Figure 3.1-2B). In either case, this mode results in the attachment 
through the docking port interface of two large masses, namely the orbiter 
and station, which are each of the order of 90,000 kg (200,000 lb). 

3.1.5 Free-Flying Module Docking Mode 

The free-flying module docking mode, illustrated in Figure 3,1-rlO 
uses a free-flying module to fly between and dock to the orbiter and station. 

In this way the orbiter and station can stand off from each other in station 
keeping modes at a relatively large distance, which may in practice be 150m 
to 1.5km (500 ft to 1 mi). The free-flying module may be manned or unmanned. 
All dockings occur between an individual module, typically of 9,0QC kg (20,000 lb) 
mass, and the station or orbiter. Docking impact energies are therefore only 
20 per cent or so of those involved in the orbiter to station docking mode 
(at the same velocity) . 

Each free-flying module involved in this mode requires attitude control, 
propulsion, guidance and communications capability. This may be achieved 
in three distinct ways : 

• Integral systems module 

• Space-based mini-tug 

• Ground-based mini-tug 

In the integral systems module (Figure 3.1-10A), all the guidance, 
control and other functions are provided by systems on board each of the 
involved modules. If the modules are to be manned during the free-flying 
maneuver, life support systems must also be included. 

In the two mini- tug concepts (Figure 3.1-10B, these functions are 
provided in a separate mini-tug vehicle, leaving the free-flying modules 
free of these additional system requirements. The mini-tug is envisioned 
as a relatively small module, since the propvlsion needs are small. In 
addition to the functions mentioned earlier, it must be able to dock and 
undock with the free-flying modules, station and orbiter and must also be 
able to free-fly without an attached module. The advantage of the mini-tug 
is that a single mini-tug can provide the functions for all the free-flying 
modules, whereas in the integral systems module concept, each module must 
contain the various systems.- 
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In the ground based mini-tug concept, the mini-tug Is attached to the 
module to be delivered before launch. Orbital operations for docking are 
Identical to those of the Integral systems module concept. After docking 
to the space station, however, the mlnl-tug is undocked from the delivered 
module and flown back to the orblter for return to earth and preparations 
for the next flight, or Is used to return another module from the station 
to the orblter for return to earth. 

In the space based mini-tug concept, the mlnl-tug Is based at the station. 
It flies to the orblter, docks to the payload module and flies it to the 
station. Modules are transferred from the station to the orblter in the 
reverse order. 

3.1.6 Assembly and Normal Resupply Docking Operations 

Docking operations are common to the station assembly and to normal 
resupply operations. During the assembly, docking is required to assemble 
modular space station elements into a modular space station which is capable 
of supporting a crew and the routine conduct of experiments. During the 
normal resupply phases, docking is required to support cargo and experiments 
resupply, crew rotation, and waste disposal. 

The most significant considerations for docking, as related to the 
mission phases, is that docking during the assembly of the station involves 
(1) dockings with an unmanned station and (2) continually changing mass 
characteristics of the station. Since these considerations do not result 
in operational differences between assembly and resupply dockings, they are 
treated as one set of operations for this task. 

The primary modular space station concepts being considered at the 
current time by NR and MDAC for a 6-man space station are shown in Figures 
1-8 and 1-9. These figures include the buildup sequence and the capability 
within each module after buildup. 

The NR station consists of nine modules requiring a like number of 
orblter flights and eight dockings. The MDAC station requires four orblter 
flights and three dockings, as shown, to achieve a 2-man crew initial cont- 
inuous manning capability. Two more logistics module flights and two Resear 
and Application Module (RAM) flights are required to provide 6-man continuous 
manning with initial station experimentation capability consistent with the 
NR station. 

Both stations are capable, after buildup to the initial station, of 
supporting a crew of six and can expand to growth station with a crew of 
up to 12 and increased experimental capability with the addition of more 
modules . 
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3.1.7 Emergency Docking 


Analysis of the docking systems Included consideration of emergency 
docking to Identify hazards and considerations In tradeoff evaluations. 

Identification and evaluation cf potential emergencies has shown that, 
so fit ua docking Is concerned, emergency docking is characterized by one 
of the following two situations: 

(1) A time critical situation on the orbiter, free-flying module, 
or station, in which a docking is required to save or prevent 
injury to personnel or damage to the vehicles, or otherwise 
prevent a hazardous or dangerous situation from reaching 
capas trophic proportions. 

Examples of time critical situations are fire, fumes, impending 
explosion, leakage, atmospheric depressurization, failure of life 
support, power failure and injured personnel. 

(2) Docking to a vehicle which has lost or experienced degradation 
of a critical docking function. 

Examples are attitude control failura and docking to a slowly 
tumbling vehicle. 

Both of these emergency docking operations have been considered in the 
subsequent analyses. 
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3.2 HAZARDS IDENTIFICATION 

This section described the identification of potential hazards associated 
with the docking systems and modes described in the previous section (Section 
3.1, Baseline Model). 

The general method used to identify these hazards consists of setting out 
the functions which have to be performed, and then considering what hazards 
may arise in each function from equipment failures, operational errors, 
unexpected environments and major malfunctions or accidents. The section, 
therefore, starts with an analysis of the docking functions, and continues 
with a methodical identification of hazards peculiar to the various docking 
systems and modes. 

The hazards identified were reviewed by a number of NR/SD pilots and 
NASA astronauts for credibility and completeness. Their comments have been 
incorporated in the analysis that follows. 

3.2.1 functional Analysis of Docking Systems 

Top-level functions required by the docking systems for docking of two 
spacecraft were defined and are listed in Table 3-1. These are general, and 
are applicable to any set of vehicles, and to all the docking systems and 
docking modes considered. Individual differences between docking systems and 
modes are identified and compared later. The top-level functions have been 
divided for convenience into four different maneuver phases: 

• Pre-contact 

• Contact 

• Post-contact 

• Undocking 

A comparison of the three docking systems being considered (direct dock, 
extendable tunnel and manipulator) shows that substantially different means are 
ured in the three systems to meet the functional requirements. These differ- 
ences are high-lighted in Table 3-2, in which the design features used for 
each function are identified for the three docking systems. Only those func- 
tions in which inherent differences exist between the systems are shown. 
Alternate means for performing a function within a given system are also shown. 

As can be seen from the table, the primary differences in the systems are 
related to the final closure function in the pre-contact phase, the energy 
attenuation function in the contact phase, and the capture and draw-down func- 
tions m the post-contact phase. The two methods identified for the extendable 
tunnel system (Section 3.1.2) differ only in the method of energy attenuation. 
The three methods of using the manipulator docking system described in Section 
3.1.3 and shown in Figure 3.1-8 differ considerably in their operations when 
examined one level below the top-level functions of Table 3—1. These are com- 
pared in Table 3-3, using the six key operations of attach, release, extend, 
retract, dock, and undock. 
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Table 3-1. Top-Level Functions Required for Docking 


Pre-Contact Flight Phase 

1. Acquisition - One vehicle must locate the other either visually 

or electronically. * 

2. Gross Orientation - One vehicle must maintain attitude hold, 
while the other translates and rotates into alignment. The 
vehicle maintaining attitude hold will be called the "passive" 
vehicle. 

3. Station Keeping - The active vehicle must station keep with the 
passive vehicle for inspection of the docking port condition. 
Active vehicle attitude hold is required. 

4. Deploy Docking System - The active vehicle must deploy or arm 
the active portion of the docking system. 

5. Fine Orientation - The active vehicle must fine align the active 
docking system with respect to the passive vehicle docking port 
in both translation and rotation. 

6. Final Closure - The active vehicle docking interface must be 
maneuvered to contact the passive vehicle docking port. Lateral 
drift and residual attitude misalignment must be corrected 
during axial closure. 

Contact Phase 


1. Energy Attenuation - The active vehicle docking system must 
absorb the energy of relative motion between the two vehicles. 

Post-Contact Phase 


1. Capture - The active vehicle mating system must provide connection 
to the passive vehicle. 

2. Attitude Alignment - Residual attitude misalignments between the 
vehicles must be corrected either by active vehicle maneuvering 
or by the capture mechanism prior to seating the mating inter- 
faces. If the capture mechanism provides attitude alignment, 
the active vehicle must be placed in the free mode (i.e., no 
attitude hold) . The passive vehicle remains in the attitude 
hold mode* Failure to inhibit attitude hold on one of the 
vehicles will cause both control systems to fight to hold their 
respective misaligned attitudes. 
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Table 3-1. Top-Level Functions Required for Docking (Cont.) 


Post-Contact Phase (Continued) 

3. Draw Down - The docking interfaces must be drawn together to 
remove residual attenuation stroke and seat the interfaces. 

4. Rigidizing - The docking interfaces must be structurally connected 
either automatically or manually to provide the required inter- 
vehicular stiffness for combined vehicle maneuvering. This 
function also can seat pressure seals if intervehicular press- 
urization is required. 

Undocking Phase 

1. Unrigidize - The docking interfaces must be structurally dis- 
connected to provide a flexible coupling for independent vehicle 
maneuvering. This function can also unseat pressure seals and 
be combined with the separation function. 

2. Separate - The docking interfaces must be physically separated. 
Energy stored in the docking system may be used to provide or 
augment separation forces. 

3. Recycle Docking System - The docking interface must be left in a 
condition to dock again. The rigidizing latches shall extend 
the attenuators to the unstroked position, the capture latches 
shall be unlocked and recycled, and the docking systems stored. 
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Table 3-2. Comparison of Design Features of Docking Systems by Function 


Function 


Pre-Contact Phase! 


Deploy Docking 
System 


Final Closure 


Contact Phase: 


Energy Atten- 
uation 

Post Contact Phase; 


Direct Dock 


DOCKING SYSTEM 


Extendable Tunnel I Manipulator 


Rotatable docking Extendable tunnel 
mechanism and/or 
direct dock system 


Propulsive man- 


euver 


Shock absorbers 


Propulsive man- 
euver or tunnel 
extension 


Tiumel air 
compression 


Manipulator 


Manipulator 

extension 


Manipulator joint 
torque 


Capture 

Attitude Align- 
ment 


Capture mechanism Capture mechanism Manipulator 


Capture mechanism 
or propulsive 


maneuver 


Tunnel or propul- 
sive maneuver 


Manipulator 



Draw Down 


Rigid! zing 


ndocking Phase: 


Unrigidize 


Separate 


Recycle Dock- 
ing System 


Capture mechanism 
retraction 

Latching (or 

equivalent) 

mechanism 


Latching (or 
equivalent) mech- 
anism release 

Stored docking 
system energy 
ani/or propulsive 
maneuver 


Recycle latches 
and attenuators 


Tunnel retraction 


Latching (or 

equivalent) 

mechanism 


Manipulator 

retraction 

Latching (or 

equivalent) 

mechanism 


Latching (or Latching (or 

equivalent) mech- equivalent) mech- 
anism release anism release 

Stored docking Stored docking 

system energy system energy 

and/or tunnel ex- and/or manipulator 

tension and/or extension and/or 

propulsive maneuver propulsive maneuver 


Recycle latches 
and attenuators, 
stow tunnel 


Recycle latches 
and attenuators, 
stow manipulator 
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Table 3-3. Comparison of Operations for Manipulator Docking Methods 




METHOD 


Operation 

Station 

Keeping 

Dual 

Dock 

Dual 

Manipulator 

[1) - Manip #1 

[2) - Manip #2 

o 

Attach manipulator to module in cargo 
bay 

X 



o 

Extend manipulator 

X 

X 

X(l) 


Attach manipulator to station 


X 

X(l) 

0 

Attach manipulator to module in cargo 
bay 



X(2) 

0 

Extend manipulator 



X(2) 

0 

Dock module to station 

X 


X(2) 

o 

Release manipulator from module 

X 


X(2) 

o 

Retract manipulator 

X 

X 

X(2) 

o 

Dock station to orbit er 


X 


o 

Release manipulator from station 


X 

X(l) 

o 

Attach manipulator to module in cargo 
bay 


X 


o 

Extended manipulator 


X 


o 

Dock module to station 


X 


o 

Release manipulator from module 


X 


o 

Attach manipulator to station 


X 


o 

Undock station from orbiter 


X 


0 

Extend manipulator 


X 


o 

Release manipulator from station 


X 


o 

Retract manipulator 


X 

X(1) 


65 


SD 72-SA-0094-2 






Space Division 

North American Rockwell 


An appreciable difference is seen in the number of operations required 
by each of the three methods. The station keeping method uses only 5 opera- 
tions, the dual dock 14, and the dual manipulator 9 (4 by one manipulator 
and 5 by the other) . 

The functions shown in Table 3-3 are for the orbiter docking a module to 
the station. The operations required for undocking a module from the station 
are functionally identical and can be obtained by reversing the order of the 
functions shown and substituting the antonym for the words retract (i.e., 
extend), release (attach), to (from), and dock (undock). 

3.2.2 Functional Analysis of Docking Modes 

A functional comparison of the two docking modes considered, i.e., 
orbiter to station docking mode and free-flying module docking mode, shows 
that the differences occur in the number and order of dockings which occur 
rather than the details of how the docking is done. Each of the three 
docking systems considered can be used with either of the docking modes. 

The two docking modes including three variations discussed in Section 
3.1.5 for the free-flying module mode are compared in Table 3-4 in terms of 
the three key functions of undock, free-fly, and dock. The table describes 
a typical orbiter mission in which the orbiter delivers one module to the 
station and returns another station module to earth. 

It is apparent from the table that the Space Based and Ground Based 
Mini -Tugs involve the most operations (15 and 9 operations, respectively), 
as opposed to 6 operations each for the orbiter to station and integral 
systems free-flying modes. 

If the comparison is confined to the space station assembly operations 
only, in which modules are delivered to the station but not returned to 
the orbiter, only the items indicated by the asterisks are involved. The 
comparison now shows that the space based and mini-based tug, each require 
six functions, and the integral systems module and orbiter to station modes 
three each. 

3.2.3 Hazards Common to All Docking Systems and Modes 

Hazards were identified by considering the potential effects of possible 
equipment failures, operational errors, unexpected environments and major mal- 
functions or accidents during each of the functions identified in Sections 
3.2.1 and 3.2.2. The hazards fell into two categories: those common to all 

the docking systems and modes considered, and those specific to individual 
systems or modes. 

The hazards common to all systems and modes are identified by 2.1. XXX 
numbers, and are as follows: 


SD 72-SA-0094-2 


66 



Space Division 

North American Rockwell 


Table 3-4. Functional Comparison of Orbiter to Station 
and Free-Flying Module Docking Modes 




MODE 




Free-Fly Module 



Orbiter 

Integral 

Space 

Ground 


Function 

to 

Systems 

Based 

Based 



Station 

Module 

Mini-Tug 

Mini-Tug 



(Direct Dock) | 


0 

Undock from station 



X 


0 

Free-fly to orbiter 



X 


0 

Dock to delivered payload 
module 



X 


0 

Undock delivered payload 
module from orbiter 


X 

X 

X 

0 

Free-fly (or fly) to station 

X 

X 

X 

X 

0 

Dock delivered payload module 
to station 

X 

X 

X 

X 

0 

Undock from delivered payload 
module 

X 


Y 

X 

0 

Free-fly (transpose) to earth 
bound module 

Y 


Y 

Y 

0 

Dock to earthbound module 

Y 


Y 

Y 

0 

Undock earthbound module from 
station 

Y 

Y 

Y 

Y 

o 

Free-fly to orbiter 


Y 

Y 

X & Y 

o 

Dock to orbiter 


Y 

Y 

X & Y 

o 

Undock from earthbound module 



Y 


0 

Free-fly to station 



Y 


0 

Dock to station 



Y 



X - Deliver and dock a module. 
Y - Undock and return a module 

• 









* 

t 


& 

t: 

4 ; 




* 


$ 


f* 






> 






X-. 
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2.1.001 Impairment or visibility at critical moment during docking. 

2.1.002 Loss of vehicle control prior to docking contact. 

2.1.003 Loss of vehicle control after initial contact during docking. 

2.1.004 Failure to inhibit attitude hold of one vehicle 
after capture during docking. 

2.1.005 Loss of docking system function or control. 

2.1.006 Failure of orblter payload module deployment mechanism prior to 
docking. 

2.1.007 Hardware protrusions in the docking tunnel. 

2.1.008 Unsecured equipment and personnel during docking. 

2.1.009 Degradation of life support system during docking. 

2.1.010 Docking hatch opened when pressure equalization incomplete. 

2.1.011 Electric discharge during initial docking contact. 

The correlation of these hazards with the docking functions during 
which they can arise is shown by the x's in Table 3-5. 

3*2.4 Hazards Specific to Individual Docking System s 

Hazards identified by examination of the docking functions become more 
specific when consideration is given to each of the three docking systems 
previously described. These hazards are numbered as follows: 

2. 2. XXX Specific to the direct docking system. 

2. 3. XXX Specific to the extended tunnel docking system. 

2. 4. XXX Specific to the manipulator docking system. 

2.2.001 Loss of vehicle control in close priximity to other vehicle 
during dezking. 

2.2.002 Loss of attenuation capability during docking. 

2.3.001 Loss of vehicle control prior to docking contact by 
extendable tunnel. 

2.3.002 Loss of vehicle control after capture by extendable tunnel 
docking system. 

2.3.003 Loss of pressure in the pneumatic extension and energy 
absorption mechanism of the docking system. 
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Table 3-5. Correlation of Common Hazards with Docking Functions 


Docking 

Function 

Hazard 

Impairment of Visibility 

Loss of Vehicle Control 
Precontact 

Loss of Vehicle Control 
Post Contact 

Failure to Inhibit One 
Vehicle att. Hold 

Loss of Docking System 
Function 

Failure of Deployment 
Mechanism 

Hardware Protrusions in 
Tunnel 

Unsecured Equipment During 
Docking 

1 

Degradation of Life Support 
System 

Pressure Not Equalized 

— 
Electric Discharge 

Pre-Contact 












Flight Phase 

» | 
» 











Acquisition 

X 

X 







X 



Gross Orien. 

X 

X 






X 

X 



tation 












Stationkeep. 

X 

X 







X 



Deploy dock. 

X 

X 



X 

X 



X 



sys. 












Fine orient. 

X 

X 






X 

X 



Final Clos. 

X 

X 



X 

X 


X 

X 



Contact Phase: 












Energy At ten. 



X 


X 



X 

X 


X 

Post Contact 












Phase : 












Capture 



X 

X 

X 



X 

X 


X 

Attitude 



X 

X 

X 



X 

X 



Align. 












Draw down 



mm 

X 

L9 



X 

X 



Rigidizing 



E9 

X 

89 


X 

X 


X 





X 

X 

X 


X 

X 




Undocking Phase 











Unrigidizing 



X 

X 

X 


X 



X 

X 

Separation 



X 


X 


X 

X 


X 

X 

Recycle Sys. 



X 



K9 
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2.4.001 Loss of vehicle control prior to capture by manipulator 
during docking. 

2.4.002 Lose of vehicle control after capture by manipulator 
during docking . 

2.4.003 Loss of manipulator Joint motor control during docking, 

2.4.004 Loss of manipulator computer aided control system during docking. 

3.2.5 Hazards Specific to Individual Docking Mod as 

The hazards associated with each of the docking modes are generally the 
same; i.e., the "common" hazards. This does not mean that all the docking 
modes are to be considered equally safe, since the criticality of the same 
hazard can be very different depending on the sizes and configuration of the 
vehicles involved. Thus failure to inhibit attitude hold after capture may 
be merely an inconvenience when a free flying module docks to an orbiter or 
a station, since the bending moments induced at the docking interface will be 
small; but the same hazard occurring when the orbiter docks to the station 
could be catastrophic, and result in structural failure, because of the large 
control moments and Inertias involved. Similarly, loss of vehicle control 
prior to docking is much more likely to result in contact and damage in the 
orbiter-to-station mode, because of the complex geometries and large masses 
involved, than in the free-flying module mode. 

Although there is no way of quantifying the effects of geometric aud 
mass differences in the docking modes, the criticality of the "common" 
hazards must ir. general be judged to be more severe for the orbiter-to- 
station mode than for the free-flying module mode. 

No additional hazards have been identified as peculiar to the orbiter- 
to-station docking mode. 

The free flying module docking mode hes the seme basic set of hazards 
as any docking maneuver unless it is unmanned and controlled either by 
computer aided system* or by remote human control. The requirement that 
the free flying module must be deployed from the cargo bay is not an 
additional hazard; it only increases the potential of vehicle damage if 
vehicle control is lost in close proximity to the orbiter. This hazard 
has been identified as common to any docking maneuver. 

The following additional hazards are identified with fee 

flying modules: 

2.5.001 Loss of Communications /Command capability during docking by 
unmanned free flying module. 

2.5.002 Loss of propulsion or control capability during docking 
by manned free flying module. 

2.5.003 Loss of life support capability during docking by manned free 
flying module. 
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The use of a mini-tug as a maneuvering vehicle to dock with and free- 
fly a cargo module to the station does not introduce additional hazards 
than any other docking mode. There are, however, more docking operations 

required, as discussed earlier, so that the occurrence of an accident 
is more likely. 

3.3 COMPARISON AND EVALUATION OF DOCKING SYSTEMS 

In order to determine the preferred docking system or docking mode 
from a safety point of view, a comparison and evaluation must be made 
between the different options considered based on the important safety 
evaluation criteria. Universal standards for criteria to measurw ur 
evaluate safety do not exist. Therefore a number of different criteria 
are used in what follows to compare the various systems and modes. 

For the docking systems, these comparisons were made on the following 
criteria. 

e Number of hazards 

e Criticality of hazards 

e Risk, or combination of probability and criticality 

e Operational complexity 

• Design impact of applying the safety requirements and guidelines 

• Residual hazards 

The results of these comparisons are presented in Section 3.3.1. The 
evaluation of the systems, i.e., deciding the relative merits of the options 
(from a safety point of view) depends on the relative Importance placed on 
each of the above six criteria, and is covered in Section 3.3.2. 

Final conclusions and recommendations are presented in Section 3.6. 

Since 11 of the hazards identified, their effects, and the resulting 
requirements and guidelines are common to all three docking systems, the 
comparisons in the following sections are confined to those hazards which 
are specific to each of the three systems. It is these differences which 
will determine the preferred system. 

3.3.1 Comparison of Docking Systems 

A comp*w.j.8on of the number of hazards that are directly associated 
with the three candidate docking systems is as follows: 

• Direct docking system - 2 hazards 

• Extendable tunnel system - 3 hazards 

'/ Manipulator docking system - 4 hazards 

A comparison based on how critical the hazards are, must be derived 
from levels of criticality. These may be defined as follows, for purposes 
of this study, in decreasing order of severity. 

• Loss of personnel 

• Vehicle damage 

• Docking system damage 
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This assumes that the docking system is maintainable or replaceable, 
so that damage to the docking system is less critical than other, possibly 
irreparable, damage to the spacecraft. 


The criticality of the hazards which are specific to the docking systems 
is shown in Table 3-6. "Personnel lore" hazards are identified for the sta- 
tionkeeping and dual manipulator methods of the manipulator system. The deal 
docK manipulator system has four vehicle damage hazards, compared to one each 
for the direct docking and extendable tunnel systems. 


Table 3-6. Criticality of Hazards Specific to Docking Systems 


Docking System 


Critical! tv 

Direct 

Docking 

Extendable 

Tunnel 

l 

Manipulator | 




Dual Dock 

Station-Keep, 
& Dual Manip. 

Loss of personnel 




2.4.003 

2.4.004 

Vehicle damage 

i 

2.2.001 

2.2.002 

2.3.003 

2.4.001 

2.4.002 

2.4.003 

2.4.004 

2.4.001 

2.4.002 

Docking system 
damage 


2.3.001 

2.3.002 



I (Numbers identify hazards - see Section 3.2) 


A further refinement can be made by comparing not only the criticality 
of each hazard, but also the relative probability of occurrence. Such 
estimates are at best subjective, but should nevertheless be factored into 
a full evaluation. Since only relative prolabilities are required for 
comparison, these are judged merely as 'low", "medium" and "high*" The 
combination of criticality and probability can only be shown as a matrix. 
Based on the assumption that the re contended guidelines and requirements 
are met, the judgements on the hazards of the three systems are as follows: 
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The results of these comparisons are summarized in Figure 3 . 3 -I. The 
manipulator system thus has the worst combination of number of hazards, 
criticalities and probabilities of occurrence, with the stationkeeping and 
dual manipulator methods having two hazards with the worst possible combina- 
tion of criticality and probability. 

Another comparison is on the basis of the operational complexity. The 
system with the most operations is exposed to the greatest risk. The 
significant operations were taken to be the free fly maneuver, the attach- 
ment and detachment of a manipulator to a module, and the docking and 
undocking of a module, includine rigidlzing, at a docking port. The 
comparison is shown in Table 3.7. This table covers the normal resupply 

docking, when a new module is being delivered to the station and another 
one is returned to the orbiter for return to earth. 

The three methods for the manipulator docking system are shown 
separately, since they differ in the number of operations. There is also 
a possible variation, as shown by the asterisked numbers, according to 


Table 3-7. Number of Operations for Different Docking Systems 



Operation 

System 

Free-fly 

Attach/Detach 

Dock/Undock 

Direct Docking 

2 


2 

Extendable Tunnel 

2 

- 

2 

Manipulator 




Station-keeping 

1-2* 

2 

1 

Dual dock 

1-2* 

3-4* 

2-3* 

Dual manipulator 

1-2* 

3-4* 

1 

*The higher number applies when the orbiter must be repositioned 
to reach the module being returned. 
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whether the returned module can be reached by the orblter manipulator 
without repositioning from its delivery position, or whether the orblter 
must reposition itself by a free flying maneuver to reach the returned 
module. 

The direct docking and the extendable tunnel systems involve two 
free fly, and two dockings and undockings each. The manipulator docking 
system Involves, in addition, the attaching and detaching operations of 
the manipulator, and a variable number of free fly, docking and undocking 
maneuvers, depending on the method used and the geometry involved. No 
clear-cut statement can be made that one system requires more operations 
than another. 

In order to compare the docking systems on the basis of design impact 
of applying the safety requirements and uldelines, only those safety 
requirements and guidelines which are specific to one or other of the 
systems and which have a significant impact on the design need be considered. 
It is assumed that each system is designed in the first place to perform 
its normal functions and that each system can perform these functions 
equally well. Thus differences in weight, complexity, cost, or other factors 
which are inherent to the systems are not evaluated. It is only the 
additional features required for safety (as identified in the hazards/ 
emergency analyses) that are evaluated. Significant design impact is 
considered to mean the addition of mechanisms, motors, actuators, and 
similar levels of hardware, for safety reasons. Addition of wiring, 
sensors, electronics redundancy, additional software requirements or special 
procedures are not considered significant design impact. 

Analysis of the eleven "common" hazards /emergency analyses (2.1.001- 
2. 1 .011) shows that the impact of the requirements and guidelines is essen- 
tially of equal impact on the three systems. Furthermore, many of the 
requirements and guidelines from the "specific" hazard/emergency analyses 
are the same as for the "common" ones. Of the remaining "specific" require- 
ments and guidelines, the following are considered to have significant design 
impact; these refer to the extendable tunnel and manipulator docking systems: 

Extendable tunnel 

2.3.003- 2. Extendable docking systems shall be designed so that 
the extension mechanism shall retain sufficient rigidity following 
any single failure to prevent uncontrolled vehicle motion or contact. 

Manipulators 

2.4.003- 3. Arm joints shall be designed to lock on indication of 
joint motor failure. Lock shall incorporate a slip clutch capability 
to prevent structural failures. 

2.4.003- 9. Two or more manipulators ‘'hall be provided in a manipu- 
lator docking system. Each manipulator shall be capable of performing 
docking by itself, and shall also be capable of continuing any docking 
function in the event of a failure of the other manipulator at any 
stage of the docking. 

2.4.003- 10. An emergency jettisoning capability shall be provided 
for manipulators, independent of the normal manipulator system. This 
shall be capable of jettisoning the manipulator following a failure 
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or accident which does not allow stowage of the manipulator and 
configuring the orbiter for reentry and landing. 

Furthermore, if the manipulator docking system is considered for 
transferring personnel between orbiter and station using the stationkeeping 
or the dual manipulator methods, the following two additional requirements 
become applicable. Because their purpose is to safeguard the transferred 
personnel, they have a major design impact. 

2.4.003-6. Modules which are used for personnel transfer by mani- 
pulator docking shall be provided with EVA pressure suits for all 
on-obard personnel, and with EVA exit capability so that the personnel 
can escape to the orbiter or the space station in the event the module 
becomes stranded between vehicles by a manipulator failure. 

2.4.003-7. Modules which are used for personnel transfer by 
manipulator docking shall provide emergency life support for 
all on-board personnel, until they can escape or be rescued by 
external means in the event the module becomes stranded between 
vehicles by a manipulator failure. 

The last comparison is in terms of residual hazards. Of the "specific" 
hazards identified, all have been judged to be residual hazards; i.e. even 
after the recommended requirements and guidelines have been Implemented, 
the possibility of damage to vehicle or docking system cannot be eliminated. 
The comparison therefore shows: 

Direct docking system - 2 residual hazards 
Extendable tunnel system - 3 residual hazards 
Manipulator docking system - 4 residual hazards 

3.3.2 Evaluation of Docking Systems 

The previous section, 3.3.1, presented a comparison of the three 
docking systems according to six criteria. In these sections these results 
are evaluated; i.e. a judgment is made on the relative importance of the 
results of the comparisons, in order that recommendations may be made from 
the safety point of view. 

The most significant safety consideration is the safety of the 
personnel. There are appreciable personnel safety implications in using 
the manipulator docking system in the stationkeeping and dual manipulator 
methods to transfer personnel between orbiter and station. These methods 
can lead to stranding personnel in the transferred module if the manipulator 
fails, with the further potential of personnel loss if the malfunction cannot 
be corrected in time or if the personnel cannot escape or be rescued. The 
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other systems, and the dual docking method of the manipulator system do 
not have the risk of personnel loss during personnel transfer, since 
personnel will only transfer through the docking port after ,’igidlzing 
of the orblter to station, when either vessel can provide adequate 
personnel safety. 

The seme issue can be considered from the point of view of how much 
of a design impact it is to make these two methods adequately safe for 
personnel transfer. To do this, the two requirements, 2.4.003-6 and -7, 
identified in Section 3.3.1,, for EVA capability and for emergency life 
support on each module used for personnel transfer, must be met. This 
is undoubtedly a very major design impact. The weight and volume of 
implementing these requirements would be chargable to the module, thus 
reducing the useful payload and available volume. Furthermore, these 
requirements cannot absolutely remove the risk, since the nature of the 
failure and the escape or rescue time cannot be definitely established. 

This risk of personnel loss therefore remains a residual hazard of the 
manipulator docking system used in these two methods for personnel transfer. 

These must therefore be regarded as strong safety disadvantages. The 
fact that only one docking and undocking is involved in each normal station 
resupply mission compared with 2 or more for the other systems is not con- 
sidered a significant safety advantage, since it merely affects the 
probability of a hazard, to a degree which is not known or measurable. 

A comparison of the three systems, excluding the manipulator system 
for personnel transfer in the two methods just discussed, does not show 
any other strong safety reasons for preferring one system over another. 

All three systems show the same criticality, with the potential of causing 
vehicle damage. The manipulator docking system (in the dual docking 
method) exhibits more modes for causing damage, and with a relatively 
higher probability, than the other systems, because of the mechanical and 
control complexity of the manipulator itself. If control of either the 
manipulator or of one of the vehicles is lost at a crucial phase, damage 
is quite likely because of the large volume swept by the manipulator 
envelope. The specific safety requirements, although fairly significant, 
would not noticeably affect the development of the system. 

The direct docking system, on the other hand, has the one relatively 
severe risk that a control system failure when the two vehicles are close 
to each other, can result in inadvertent contact and damage. The higher 
contact velocity of this system (up to 0.3 m/sec, 1 ft/sec) compared to 
the manipulator system (up to 0.03 m/sec, 0.1 ft/sec) could be expected to 
result in both less reaction time for corrective action and more damage. 

The extendable tunnel system appears, from the comparison, to have the 
lowest probability of causing damage. This occurs because of the relatively 
large separation of the vehicles (about 3 m, 10 ft) during the critical 
initial contact and capture phases of the docking maneuver. This makes the 
system relatively tolerant to approach condition errors and to control system 
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failures, allowing adequate time for crew diagnosis and corrective action. 
In addition, the most critical failure mode identified is failure of the 
extension mechanism, which is assumed to be a pneumatically Inflated tube. 
Should a different extension mechanism be used which has a more benign 
failure mode, the extendable tunnel system would be quite attractive from 
the safety point of view, exhibiting a lower criticality than the other 
systems. It must be remembered however that this system has not been 
adequately studied or developed, in a fully developed and practical system 
which are not apparent at present. 


V 
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3.4 COMPARISON AND EVALUATION OF DOCKING MODES 

Because the orbiter to station and free flying module modes differ at 
an overall concept level rather than a detailed system level, the comparisons 
and evaluation are made on different criteria from those for the docking 
systems. These criteria are: 

o The potential for crew injury or loss 

o The potential for vehicle loss 

o The potential for vehicle damage 

o The cost and payload impact of required safety 

These criteria are discussed and evaluated as a whole for each docking 
mode, rather than compared individually for the two docking modes. This 
section is therefore arranged in an evaluation section for each of the two 
modes, and concluded with a comparison of the two modes. 

3.4.1 Evaluation of Orbiter-to-Station Docking Mode 

The hazards identified for the orbiter to station docking mode have the 
potential of causing major damage to the orbiter and/or the station, but do 
not directly lead to personnel injury or loss. The damage would result from 
inadvertent contact of parts of the structure not intended to make contact. 
Because both vehicles are large and have complex geometries, with many pro- 
truberances, such as cargo bay doors, wings and manipulators on the orbiter, 
and solar panels, antennas and experiments airlocks on the station, almost 
any unprogrammed motion can lead to contact and damage. 

While the damage to the structure or equipment would not normally be 
expected to lead to personnel injury or loss, this cannot be ruled out as 
an eventual consequence of the damage. For example, if the aerodynamic 
surfaces of the orbiter are damaged so as to preclude reentry, and escape 
or rescue is not possible within the time constraint imposed by the life 
support capability, then crew loss would result. Or, again, if a massive 
penetration of the pressurized structure of the station occurs, personnel 
loss from depressurization is possible. 

Generally, however, the effects would be limited to damage to the vehicle, 
and the potential for personnel injury or loss should be assessed as a second 
order effect. The proximity of the orbiter and station, either of which can 
provide for the long term safety of personnel (one by return to earth and the 
other by virtue of its inherent long duration capability) , and the assumed 
EVA capability virtually ensure that personnel who survive the immediate 
accident can be safeguarded. 

The possibility of loss of one vehicle following a docking accident is 
quite real, however. The orbiter is vulnerable in a number of ways. The 
cargo bay doors must be closed before reentry; damage to the closing mechanism, 
or to the doors themselves, could result in the ingestion of hot reentry gases, 
leading to thermal degradation of the internal structure. The wings, fuselage 
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and tail surfaces are part of the aerodynamic configuration, and damage can 
affect the stability and control of the vehicle in the atmosphere. The crew 
cabin also is near the docking port, and damage to that could preclude return 
to earth. If an assessment of the damage prevents return to earth, a very 
complex and costly rescue and repair shuttle mission would be required, pro- 
bably with much EVA maintenance. In extreme cases the orbiter would be written 
off as a complete loss, and the rescue mission would concentrate on saving the 
personnel and placing the orbiter on a safe reentry orbit. 

The space station, being modular in nature, is much more tolerant to 
damage. Damage would generally be confined to one module, and this could 
be returned to earth in the orbiter for repair or replacement. This could 
be quite difficult, however, if the affected module were the core module, 
since all other modules are attached to it. In such a case the space station 
may be temporarily abandoned, and a new core module brought up in due course. 
The space station would then be re-assembled about this module, and the damaged 
core module returned to earth. Damage to the solar arrays (relatively likely 
because of the large area exposed) could similarly lead to temporary station 
abandonment. 

No requirements or guidelines have been identified in the hazard/emer- 
gency analyses which apply specifically only for the orbiter to station 
docking mode. The "common" requirements and guidelines are equally applicable 
to the free flying docking mode, and have equal design and cost impact when 
applied to either mode. The impact of safety on the cost and payloads for 
the orbiter to station docking mode is therefore minimal. 

3.4.2 Evaluation of Free-Flying Module Docking Mode 

The free flying module docking mode has a very definite potential for 
personnel loss. If loss of the propulsion, control or life support capa- 
bility occurs while the module is free flying between orbiter and station 
with personnel onboard, personnel loss can occur. Escape can only be effected 
by EVA to the orbiter and station. Rescue is possible by t.ie orbiter, but 
only if the module can still be stabilized (for docking) and if adequate life 
support capability remains. The possibility of personnel loss must therefore 
be rated as relatively high. In contrast to the orbiter to station docking 
mode, loss of personnel can follow directly as a consequence of a system 
failure, and does not depend on a propagation of unlikely effects. 

The potential for personnel loss appears to be about the same for the 
integral systems module, space-based mini-tug or ground-baaed mini-tug 
approaches. All three involve one free flight of the manned module for each 
manned module transfer maneuver, and therefore expose the personnel to equal 
risk. The probability of propulsion, guidance and life support systems failure 
which could affect personnel safety are essentially the same whether this 
equipment is located integrally on the module or in the mini-tug. The mini- 
tugs thermselves have more flights than the integral systems module (5 flights 
for the space-based and 3 for the ground-based mini-tug, compared with 2 for 
the integral systems module). However, the number of manned flights is the 
same (2 in each case). The risk to personnel is the same in each case. 
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Providing a spare mini- tug in the program provides a back-up rescue 
capability, but this is available by the orbiter, anyway. It does not reduce 
the risk from a failure which causes the free flying module to lose attitude 
control, to tumble out-of-control, or to fly off in a trajectory beyond the 
propulsive capability of the spare mini-tug to catch up and return it. 

In this respect, the redundancy provided by the spare mini-tug is far 
better employed as on-board redundancy of the critical systems, so that any 
failure (except a catastrophic failure which destroys the whole mini-tug) 
can be promptly counteracted, irrespective of the vehicle’s motion. This 
conclusion, that built-in redundancy is safer than a spare vehicle, applies 
equally to the integral systems module and the two mini-tug concepts. 

The possibility of an inadvertent collision between the free flying 
module and the orbiter or space station is about as likely as for the 
orbiter to station docking mode. The resultant damage, however, is likely 
to be much less, for two reasons. Firstly, the geometry of a single module 
docking to orbiter or station is much simpler, so. that fewer points on the 
two vehicles will come into contact. Secondly, the mass of a free flying 
module is only about 10 to 20 percent of the mass of either orbiter or 
station, so that the energy involved in the collision is relatively small. 

As for the orbiter to station docking mode, inadvertent collision could 
lead to personnel loss, but only as a secondary effect. The probability of 
personnel loss on the station or orbiter must be considered less than on the 
orbiter to station mode, because of the expected smaller potential for damage. 
The probability of personnel loss on the free flying module is higher than 
on either of the two large vehicles, however, because the free flying module 
is more vulnerable to accidents, A given penetration of the structure will 
lead to more rapid depressurization, because of the smaller volume; dual 
pressure volumes are not likely on the free flying module; and the duration 
of the prime and the emergency life support capability will be of the order 
of hours rather than days, as on the orbiter and station. 

When considering the impact of safety on the design complexity of the 
free flying module docking mode, this must be judged to be a major impact. 

The requirement for a life support system on the module is not considered as 
a safety requirement, as it is needed for the normal vehicle function of 
transporting personnel. The redundancy required in this system, the added 
redundancy in the control, power, propulsion and communication systems, the 
EVA suits and EVA capability, and the emergency life support capabilities, 
are directly attributable to safety. These are reflected in the hazard / 
emergency analyses referring specifically to the free flying module docking 
mode (No.'s 2.5.001 to 2.5.003). These requirements considerably affect 
the net payload capability of each free flying module, as well as the volume 
availability for cargo. 

Typical weights and volumes for these safety requirements are shown in 
Table 3-8 for a 6-man vehicle. 534 kg (1180 lb) and 3 m3 (106 ft3) of useful 
cargo are lost. This assumes that the EVA suits are relatively lightweight 
emergency suits, with a simple oxygen purge system, capable of one-half hour 
life support, rather than a normal portable life support system. 


81 


SD 72-SA-0094-2 






Space Division 

North American Rockwell 


Table 3-8. Typical Increment's In Weights and Volumes for 
Meeting Safety Requirements on a Manned Free- 
Flying Module 


Item 

Weight 
kg (lb) 

a 

co<5 

O 

Si 

toft 

Redundant Systems 



Conmunicationo 

27 (60) 

.04 (1.5) 

Power (4 hrs) 

54 (120) 

.06 (2) 

Environmental Control (4 hrs) 

36 (80) 

.07 (2.5) 

Reaction Control (20 lb jets) 

27 (60) 

.06 (2) 

6 Pressure Garment Assemblies and 

190 (420) 

.57 (20) 

Oxygen Purge Systems 

2-Man Airlock 

159 (350) 

2.11 (75) 

Emergency Life Support (48 hrs) 

41 (90) 

.09 (3) 

Total 

534 (1180) 

3.00 (106) 


3.4.3 Evaluation of Free-Flvlng Module Docking Mode used for Unmanned 
Operations Only 

A considerably different safety evaluation of the free flying module 
docking mode arises If this mode Is used only for transferring unmanned 
payloads, and the orblter to station mode Is used when personnel transfer 
between the vehicles Is Involved. This combined mode could be practical 
If a mini- tug has been developed for other purposes and Is available for 
docking unmanned payloads, or if some orblter payloads, such as a space tug, 
have the propulsion and control capability built into them, and require 
transfer from the orblter to station and vice versa. 

The advantages associated with docking a smaller mass to the orblter 
or station, and of the simpler geometry reducing the potential for damage 
on collision, apply to this mode in the same way as described for the 
(manned) free flying module mode in Section 3.4.2. The disadvantages of 
having a relatively high potential of personnel loss, and of severely impact- 
ing the weight and volume of the transported payload, no longer apply, how- 
ever. Some equipment, namely control systems, propulsion, communications , 
etc., would still require redundancy (see Hazard/Emergency Analysis No. 
2.5.001), to ensure the whole vehicle is not lost. But this is a general 
system safety requirement, applicable to the module because it is a free 
flying module, and is not directly attributable to the docking mode. - 
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This mixed mode therefore provides safety advantages over the orbiter 
to station docking mode on its own, and over the free flying module docking 
mode on its own. These advantages apply so long as the free flying module 
is not used at all for personnel transfer. The orbiter to station docking 
mode can be used for the transfer of personnel or of unmanned cargo, as 
required. The overall r sks are minimized, however, when the orbiter to 
station mode is used for personnel transfer, to minimize risks to personnel, 
and all unmanned transfer is performed by the free flying mode, which mini- 
mizes risks to the orbiter and station. 

The disadvantages of this mixed mode are not safety disadvantages, but 
are associated with the program complexity of having two docking modes in 
the program. The docking system can be designed to handle upto a 10:1 range 
in docking masses, as would be required, and does not need different energy 
attenuation systems for the two cases. Of course, if the free flying module 
capability or the mini-tug were needed only for increasing the docking safety, 
the cost of these developments would then have to be considered against the 
Incremental safety which is obtained, and the concept would be very unattract- 
ive; but if the systems are developed for other reasons, this additional safety 
is obtained for a very small cost only. 
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3.5 EMERGENCY DOCKING CONSIDERATIONS 

The reasons for emergency docking, establish certain requirements that 
will determine which of the three docking concepts should be favored from 
an emergency docking standpoint. The reasons for emergency docking that 
appear to cover the majority of possibilities are as follows: 

1. A time critical malfunction of a system In either manned /passive 
or manned/active vehicles, th^t- if docked to the other, would 
provide succor or permit mission continuance. 

2. Retrieval of a disabled, unmanned, free flying, module or disabled 
unmanned station for the purpose of salvage or deorbit of debris. 

3. Time critical transfer of disabled crew which could prevent 
fatality. 

4. Time critical transfer of supplies which would prevent crew 
disability. 

Conditions that may complicate an emergency docking, other than system mal- 
functions or disabled crew, are the requirement to have the sun in a parti- 
cular orientation during docking and the requirement to dock at nigh . 

The time critical emergency docking reasons (3 out of 4), by their 
nature, would favor the docking system and mode requiring the shortest, 
operational time line for the docking maneuver. A fair measure of time 
line is the number of functions a docking system must perform to complete 
the docking maneuver. 

This would favor the orbiter to station docking mode over the free 
flying module mode, and the direct docking system over the extendable tunnel 
and manipulator docking systems. The free flying module mode, in particular, 
considerably extends the total time from initiation of the docking maneuver 
to its completion. 

However, the importance of reducing the docking time in evaluating the 
merits of the various docking systems and modes must be kept in perspective. 
Given that t time critical emergency has occurred, the probability that it 
occurs when the orbiter and station are positioned and configured so that 
they can initiate a docking maneuver immediately is very remote. It is only 
in that unlikely dr Constance that the time to effect the rescue is signifi- 
cantly affected (as a percentage) by a reduction in the docking time. For 
example, if the emergency occurs in the space station, the chances are that 
no orbiter is in space at the time. A shuttle rescue mission may typically 
take 10 hours from an alert to rendesvous. The difference between one method 
of docking and another may be 1.5 minutes (in an emergency mode), and this time 
is unlikely to be critical to the success of the rescue. Similarly, even if 
an orbiter is in orbit at the time, it may be two hours before orbits can be 
phased and matched; a large time compared with the 15 minutes difference between 
the docking methods. 
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When considering the two docking modes, the time advantage is clearly 
in the orbiter to station docking mode. In this case the added time for 
deploying and free flying a module to the distressed vehicle could be upto 
a few hours, particularly if a mini-tug is involved, and this could be a 
significant addition to the total time available. 

The two emergency docking situations that involve spacecraft systems 
malfunctions could be too hazardous for an approach with a direct docking 
system. If, for example, the target vehicle has low attitude stabilization 
and cannot maintain "attitude hold", resulting in a tumbling rate, it may be 
impossible for the active docking vehicle to chase the target docking port 
in both rotation and translation. If a free tumbling vehicle rotates about 
its center of mass, a docking port, located some distance away from the center 
of mass will have a circular motion, and will be oriented at some angle to the 
plane of rotation. Of the three docking systems considered, only the manipu- 
lator has the capability to add its dexterity to that of the active vehicle 
in the task of capturing a tumbling target vehicle. Such a maneuver would, in 
general, require degrees of freedom not necessarily built into the manipulator, 
and could be quite hazardous if the tumbling axis is changing rapidly. This 
problem is discussed in Section 2.0 of Volume III. 

If the target vehicle is inadvertently spinning about an axis through 
or near the docking port, the manipulator docking system is again the only 
concept, of the three, that could spin synchronize its capture interface 
with respect to the turning target vehicle docking port, and de-spin and 
dock. In either the tumbling mode or the roll spin mode, the manipulator 
would also be favored, from a safety standpoint, because of its capability 
to effect capture at a distance. 

If the emergency consists of the passive vehicle having lost attitude 
hold capability and it is either tumbling very slowly, within the design 
capability of the docking system, or is subject to unpredictable motions 
due to venting, the direct docking system would be the least desirable, 

| because of the close approach of the two vehicles. The manipulator system 

' would offer the best and safest method, with the extendable tunnel an inter- 

* mediate choice. 

In summary, emergency docking considerations favor the orbiter to 
station docking mode over the free flying module mode because of its quicker 
! time response; although the direct docking system is the quickest system, the 

manipulator system has advantages in increased separation between the vehicles 
i and in capability to deal with out-of-control vehicles. 
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3.6 CONCLUSIONS AND RECOMMENDATIONS 

This section summarizes the conclusions reached from the safety evalua- 
tion of the docking systems and modes, and presents the resulting reco' menda- 
tions . 


The conclusions reached on the docking systems are summarized as 
follows : 

e Each of the three docking systems — direct docking, extendable 
tunnel and manipulator — can be made adequately safe. 

• The "docking vehicle active" and the "docking vehicle passive, 
docking system active" methods of using the extendable tunnel 
docking system show no significant safety differences. 

e The station keeping and the dual manipulator methods of using 
the manipulator docking system have the potential of personnel 
loss in the event of loss of manipulator control before a manned 
attached module is docked. This remains a residual hazard even 
when complex emergency life support requirements are added to the 
manned modules. The dual docking method requires more operations 
to effect docking, but does not have the potential for loss of 
personnel. 

• All three docking systems have the potential of damage to the 
docking system and damage to the vehicles. The damage to the 
spacecraft could, in certain circumstances, be critical enough 
to result in loss of vehicle or loss of personnel. 

• The direct docking system has the greatest potential for inadvertent 
collision because of the close proximity of the docking vehicles. 

• The manipulator docking system has the minimum potential for inadvert- 
ent collision between vehicles because of the relatively large separa- 
tion distance at initial capture, but has more failure modes which 
can result in inadvertent contact and damage. 

e The direct docking can perform a time critical emergency docking 
quicker than the other systems. The manipulator docking system 
has more potential for docking with an out-of-control, tumbling 
or spinning spacecraft. 

• The hazards and risks of the three systems are not equally well 
understood because of the different development status of the systems. 
The direct doeking system is relatively well understood from Gemini 
and Apollo experience, the manipulator system has been defined to 
some extent in the Shuttle Phase B studies, but has not been tested 
or simulated at the time of this study, and the extendable tunnel 
system is only in a conceptual stage. 
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• The safety advantages and disadvantages of the three systems are 
sufficiently balanced and uncertainties in the current system 
definition are such that a ranking of the system from the safety 
point of view cannot, be made at present. 

• If the docking systems, when developed, operate as assumed in the 
study, i.e., without any major additional complications in the 
design or additional hazards, then the extendable tunnel system 
appears to require the least attention to make it adequately safe, 
and the manipulator system the most. 


The conclusions reached on the docking modes are summarized as 
follows : 

• The free flying docking mode has a potential for personnel loss 
when used to transfer personnel between orbiter and station. 

The necessary safety requirements for 6 men on the free flying 
module reduce the payload capability by 500 kg (1200 lb) and 3 m 

(100 ft^) , but the potential for personnel loss remains a residual 
hazard. 

• The free flying module docking mode precludes the possibility of 

a single accident resulting in loss of both the orbiter and station. 

« No significant safety differences exist between the integral systems 
module, space based mini-tug and ground based mini-tug methods of 
using the free flying module docking mode. 

9 The orbiter to station docking mode has more potential of causing 
major damage to the orbiter and/or station than the free— flying 
docking mode but does not directly lead to personnel loss . Loss of 
personnel or loss of a vehicle as a result of the damage is possible 
out not likely. 

• Use of the free flying mode for transferring only unmanned modules 
between orbiter and station eliminates the potential of personnel 
loss during transfer. It also has a reduced potential for vehicle 
contact and damage compared to the orbiter to station docking mode 
because of the simpler geometry and smaller docking energy involved. 

• The orbiter to station docking mode provides significantly quicker 
docking than the free flying module mode in the event of a time 
critical docking requirement. 
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The recommendations that result from this task are based on the 
following precedence of safety se. action criteria: 

• A system or mode which has the lesser potential for personnel 
loss Is preferred. 

• Of the remaining choices , the system or mode in which the safety 
requirements and guidelines can result in a significantly lesser 
risk (in terms of probability and severity of damage) is preferred. 

• Where the requirements and guidelines result in essentially equal 
rif /-. the choice in which the requirements and guidelines result 
lr ' S i.ificantly less design impact is preferred. 

• The capability to better deal with an emergency situation is 
considered in the recommendations , but is weighted relatively 
lightly because there is no clear-cut advantage to any of the 
systems or modes , and because of the low probability of an 
emergency docking being required. 

These recommendations are: 

• The direct docking, extendable tunnel, and manipulator docking 
systems should all be considered as acceptable docking systems 
from the safety point of view. 

e The station keeping and dual manipulator methods of using the 
manipulator docking system should be rejected as practical 
options for personnel transfer in normal operations because 
of their high potential for personnel loss. The methods are 
acceptable for transfer of unmanned modules, or for emergencies. 

e The use of the free-flying docking mode for the transfer of 

manned modules should be rejected for normal operations because 
of the potential for personnel loss. The mode may be used 
in emergencies. 

• The orbiter-to-station docking mode should be considered 
acceptable from the safety point of view with any of the 
acceptable docking systems. 

• If mini-tugs (such as remote maneuvering units) or modules 
with self-contained propulsion, control and docking capabilities 
(such as the space tug) are developed for other purposes and are 
available, their use in transferring unmanned modules or payloads 
between orbiter and station should be considered as an acceptable 
docking mode. Use of this free-flying module mode for unmanned 
payloads in conjunction with the use of the orbiter to station mode 
for all manned modules has significant safety advantages. 
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3.7 RESIDUAL HAZARDS AND HAZARDS RESOLUTION 

This section summarizes the hazards identified in Sections 3.2.3 to 3.2.5 
and their resolution as defined in Section 2.0, and presents the resulting 
requirements for supporting research and technology. 

3.7.1 Resolution of Identified Hazards 


The disposition of the 23 hazards identified in Sections 3.2.3 to 3.2.5 
is shown in Table 3-9. This shows the judgements of the investigators as to 
which hazards should be resolved by implementation of the recommended require- 
ments and guidelines; which are residual hazards; which of the residual hazards 
represent acceptable risks; and which require supporting research and technology 
(SRT) or must at present be considered as unresolved safety issues. This hazards 
resolution has been performed in accordance with the procedures and definitions 
described in Appendix A. 

3.7.2 Supporting Research and Technology Requirements 

The supporting research and technology requirements resulting from the 
areas of uncertainty of this task are listed below. The main originating 
hazards /emergency are indicated in parenthesis. 

• The feasibility using a non-collision approach path during the 
docking maneuver until the approach velocity is reduced to within 
the docking attenuation capability should be investigated. Orbital 
mechanics, guidance, propellants penalties, optical aids and human 
factors should be considered, and detailed procedures developed. 

The risks and other factors of this method should be evaluated 

and compared with the direct (collision-path) approach. 

• The dynamics of the docking maneuver under various nominal and 
worst case conditions should be investigated to assure that design 
requirements and operational procedures are available under all 
credible conditions to ensure the safety of the vehicles. Special 
attention should be given to vehicle conditions with maximum off- 
sets of the docking port from the center of gravity, and to control 
system or propulsion failures immediately before or after contact. 

• Simulation studies of the dynamics and crew capabilities of the 
manipulator docking system should be conducted at the earliest 
possible time in order to understand the dynamic characteristics 
of the system and to identify and resolve hazards which are not 
apparent from conceptual studies. A safety analysis should be 
an integral part of such simulations. 
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Table 3-9. Hazards Resolution 


Hazard No. 




2.1.006 


2.1.007 


2.1.008 


2.1.009 


2.1.010 


2.1.011 


2.2.001 


2 . 2.002 


Impairment or visibility at critical X 
moment during docking. 

Loss of vehicle control prior to 
docking contact. 

Loss of vehicle control after 
initial contact during docking. 

Failure to inhibit attitude hold of 
one vehicle after capture during 
docking . 

Loss of docking system function or 
control. 

Failure of orbiter payload module 
deployment mechanism prior to dock- 
ing. 

Hardware protrusions in the docking 
tunnel. 

Unsecured equipment and personnel 
during docking. 

Degradation of life support system 
during docking. 

Docking hatch opened when pressure 
equalization incomplete. 

Electric discharge during initial 
nocking contact. 


Los 8 of vehicle control in close 
proximity to other vehicle during 
docking . 

oss of attenuation capability dur- 
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Hazard No. 


2 . 3.001 


2 . 3.002 


2 . 3.003 


2 . 4.001 


2 . 4.002 


2 . 4.003 


2 . 4.004 


2 . 5.001 


2 . 5.002 


2 . 5.003 


Loss of vehicle control prior to 
docking contact by extendable 
tunnel. 

Loss of vehicle control after 
capture by extendable tunnel 
docking system. 

Loss of pressure in the pneumatic 
extension and energy absorption 
mechanism of the docking system. 


Loss of vehicle control prior to 
capture by manipulator during dockinj 

Loss of vehicle control after 
capture by manipulator during dockinj 

Loss of manipulator joint motor 
control during docking. 

Loss of manipulator computer 
aided control system during docking. 


Loss of Communications /Command 
capability during docking by 
unmanned free flying module. 

Loss of propulsion or control 
capability during docking by 
manned free flying module. 

Loss of life support capability 
during docking by manned free 
flying module. 
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4.0 PERSONNEL TRAFFIC PATTERNS, ESCAPE ROUTES AND 
ON-BOARD SURVIVABILITY 

The purpose of this task was to analyze the personnel traffic patterns, 
escape routes, and on-board survivability from a safety standpoint for the 
orbiter with crew and passenger, sortie modules, and for the Modular Space 
Station. Among the primary areas of concern are (a) where separately press- 
ure isolatable compartments are recommended, (b) whether dual access to each 
area is essential, (c) feasibility of dual escape routes and from each area to 
other areas not common to each other, (d) number, location and size of air- 
locks, and (e) location of hatches. 

Three particular situations were investigaged insofar as they concern 
the safety of the orbiter, sortie module, and space station personnel while 
in orbit: 

• Normal operations, in which no emergency exists, were assessed in 
order to specify recommendations which would minimize the danger 
of crew injury should an emergency arise. 

• Emergency operations, where an emergency has arisen. 

• Extravehicular and Intravehicular activities (EVA) and (IVA), where 
such activity is required in the performance of experiments, vehicle 
maintenance or repair, or as a result of an emergency situation. 

Generalized candidate configurations, typical of the many variations 
possible and those which have been or are being considered, were modeled 
for the orbiter, sortie modules, and Modular Space Station, and evaluated 
for their ability to satisfy safety requirements which evolved from an 
analysis of identified credible emergencies. 

Specific baseline configurations, representative of those resulting 
from current advanced studies, were similarly evaluated for the orbiter, 
sortie modules, and space station in order to generate specifically applicable 
safety data for these vehicles which may materially effect their configuration 
or selection. In all cases, the minimum possible configurational changes 
from the baseline are recommended if required to meet safety criteria. 

The analyses are presented in the following order: 

4.1 Credible emergencies are identified for all the vehicle considered. 

4.2 The orbiter is analyzed with an unmanned payload, and conclusions 
reached. 

4 . 3 The analysis is extended to a manned sortie module attached to the 
orbiter, and conclusions reached. 

4.4 The space station is analyzed, during normal operations, during 
assembly, and during resupply by an orbiter, and conclusions reached. 
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Supporting analysis are presented In Appendix C. Hazard/emergency analyses 
performed for each baseline vehicle configuration, are contained in Appendix D. 
The requirements and guidelines are contained in Volumes IV and V. 
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4.1 IDENTIFICATION OF CREDIBLE EMERGENCIES 

The assessment of escape routes and compartmentatlon isolation required 
the identification of credible emergencies from which configuration oriented 
and supporting requirements could be generated through subsequent hazards 
analysis. The derivation of supporting requirements, such as those which are 
subsystems or operationally oriented, are necessary to make configurations 
acceptable, but are secondary objectives as compared to those requirements 
which drive vehicle compartmentatlon. 

Existing safety documentation from the shuttle, modular space station, 
and RAM vehicle programs, the Boeing Space Station Safety Study, the Lockheed 
Safety studies, as well as documentation from previous tasks of this study 
were reviewed in order to establish credible emergencies to which vehicle 
compartmentatlon is sensitive. Catastrophic emergencies are not considered. 

Eleven credible emergencies, which can be grouped into emergency classes 
which include fire/toxic environment, explosion, loss of pressure, inoperative 
hatches, and inoperative docking ports, resulted from this review, and are 
listed in Table 4.1-1 together with the corresponding assigned hazards analysis 
number and vehicle applicability. 

Two types of fires can be defined to cover the spectrum of fires possible. 
A small fire is one which is of a magnitude which can be manually controlled 
and extinguished, does not require evacuation of the affected compartment, 
and causes only minor damage from the generated heat, smoke, fumes, and other 
combustion by-products. 

Conversely, a large fire is one which requires evacuation of the affected 
compartment and possesses the potential of causing major damage to the vehicle 
and Injury to the crew. It is the large fire which is of primary Interest to 
this task, at a level which requires evacuation but does not result in crew 
injury. 

In addition to the toxic environment created by a fire, atmospheric 
contamination can result from internal leakage (fluids leaking into the 
habitable environment) , or from release of biological substances into the 
atmosphere. 

A fire and toxic environment are combined into 4 ngle emergency because 
they lead to the same evacuation and compartmentatlon requirements. 

An explosion is considered a credible emergency due to the numerous 
potential explosive sources associated with the orbiter, station, and sortie 
modules such as propellants, high pressure gases, cryogenics, and experiment 
fluids. Many emergency situations can lead to emergency evacuation of a 
compartment. These situations are considered credible and therefore must 
be considered. 
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Table 4.1-1. Credible Emergencies 


0) 

(0 


Applicability 

Hazard Anal] 
Number 

Credible Emergency 

Orbiter 

Sortie 

Module 

Operational 

Station 

Station in 
Assembly 

3.1.001 

Fire/ toxic environment 

X 

X 

X 

X 

3.1.002 

Explosion 

X 

X 

X 

X 

3.1.003 

Emergency evacuation 

X 

X 

X 

X 

3.1.004 

Lobs of pressure 

X 

X 

X 

X 

3.1.005 

Failure to open Internal hatch between 
pressure isolatable volumes 

X 

X 

X 

X 

3.1.006 

Failure to open docking hatch after docking 

X 

X 

X 

X 

3.1.007 

3.1.008 

Failure to close docking hatch before 
undocking 

Inability to use docking hatch for EVA when 
EVA required 

X 

X 

X 

X 

X 

X 

3.1.009 

Failure to close external airlock hatch when 
returning from EVA 

X 

X 

X 


3.1.010 

3.1.011 

Failure to open Internal airlock hatch when 
returning from EVA 

Failure to close IVA airlock hatch on 
depressurized/contaminated side or to 
open hatch on pressurized/habitable side 
when returning from EVA. 

X 

X 

X 

X 
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Loss of pressure, as defined for Chls task means loss of pressure of a 
normally pressurized habitable volume. Rapid loss of pressurization can 
result from a collision between vehicles or between a vehicle and space 
debris, meterold penetration, or the Inadvertent puncture of a vehicle 
pressure shell from within. 

An Inoperative hatch Is a hatch which falls to open or cJose. Two 
types of hatches are involved In this emergency class. These are internal 
and external hatches. An internal hatch Is used to Isolate pressure volumes 
within a vehicle. An external hatch opens to space. A hatch which Is in** 
eluded with each docking port is referred to herein as a docking hatch. A 
docking hatch can be used as either an Internal or external hatch, depending 
on whether the docking interface is open to space or is closed to another 
vehicle. 

The potential effects of four of these emergencies, namely, fire/ toxic 
environment, explosion, emergency evacuation and loss of pressurization, 
required definition to classify the level of these emergencies to be con- 
sidered for analysis. The primary assumptions for this task, as they affect 
reaction time, need to evacuate a compartment , injured/incapacitated personnel, 
restoration to a shirtsleeve environment, and potential to cause ether credible 
emergencies are listed in Table 4.1-2. 


Table 4.1-2. Assumed Effects for Variable Level 

Credible Emergencies 



Minimum 
Reaction 
Time (Mins) 

Need to 

Evacuate 

Compartment 

Injured/ 

Incapacitated 

Personnel 

Restoration 
to Shirtsleeve 
Environment 

Can Cause Other 
Listed Credible 
Emergencies 

Fire/Toxic Environment 

0.5 

Yes 

No 

Yes 

Yes 

Explosion 

0 

Yes 

Yes 

No 

Yes 

Emergency Evacuation 

5 

Yes 

No 

No 

No 

Loss of Pressurization 

2-8 

Yes 

No 

No 

No 


For .example, the type of fire or toxic environment considered requires 
rapid (0.5 min) evacuation, but does not result in personnel Injury, and allows 
for eventual return to the affected compartment. More severe accidents, which may 
injure personnel, or which do riot allow shirtsleeve return to the affected com- 
partment, are considered under "explosion" and "emergency evacuation". 
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4.2 SAFETY ANALYSIS OF OR BITER CONFIGURATIONS 

Seven possible orbiter configurations are evaluated for their inherent 
capability to cope with the credible emergencies identified in Section 4.1. 
In addition to the level of emergencies considered with respect to reaction 
time and effect, which were given in Table 4.1-1, the following major 
assumptions were required to scope the analysis to within workable bounds. 
These are: 


• Emergencies, other than hatch failures, are not considered on 
airlocks . 

• De-orbit /re turn to earth requires crew participation in crew 
compartment. 

• Rescue vehicle is not available. 

• No double emergencies are considered. 

• Airlocks are sized for two crewmen or all crewmen. If sized 
for all crewmen, they are treated and evaluated as a second 
volume. 

• Passage of. Tiany personnel through an airlock, two at a time, 
is not acct - cable. 

• Airlock compartment for EVA can be crew compartment , passenger 
compartment, or airlock. 

• Planned EVA will be accomplished through an airlock. 

• Safety is not achieved via EVA. 

Each of the seven candidate orbiter configurations, was evaluated within 
the constraints of the assumptions, to determine the operational options 
available to cope with each credible emergency. Analysis of the operational 
options resulted in secondary configurational, subsystems, and operational 
requirements necessary to make the option viable. 

4.2.1 Candidate Orbiter Configurations 

The baseline configuration of the orbiter is composed of an airlock, and 
a crew and passenger compartment as shown in Figure 4.2-1. This is the final 
configuration resulting from the NR Phase B study. The airlock, \diich is of a 
size to accommodate at a minimum, two suited crewmen, is located at the forward 
end of the orbiter, is fitted with a docking port, and an EVA hatch at the 
docking port. An emergency exit hatch, usable only on the ground because it 
leads to the closed wheel well when on-orbit, is located opposite the docking 
port. Accessibility to the crew/passenger compartment is provided via a hatch 
at the airlock to crew/passenger compartment interface. The crew/passenger 
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CREW 



compartment is a single pressure volume but is separated, area wise, into a 
crew and a passenger compartment by a floor, in which a door is fitted for 
access between the compartments. Subsystems equipment is housed in under a 
second floor in the passenger compartment. Because this configuration is 
baseline for the current shuttle studies, it is given particular emphasis in 
this task, and is used as a basis from which six other selected candidate con~ 
figuration concepts are developed. 

The selected configurations are based on the number of practical ways 
in which the following compartments can be arranged: 

1. Crew compartment 

2. Passenger compartment 

3. Airlock 

Compartments which are not inhabitable, such as the cargo bay, are not 
included. 

A simplified means was employed for depicting the orbiter compartmentation 
arrangements , an example of which is illustrated in Figure 4*2-2, together 
with the seven selected candidate configurations. The baseline orbiter con- 
figuration sketch is shown at the upper left corner of the figure. The equiva- 
lent compartmentation schematic is shown directly opposite the sketch with the 
airlock identified with hatched lines. 

The location of hatches, doors and openings are outputr of the analysis 
and therefore are not indicated in the candidate orbiter configurations. 

From the schematic representations, however, a hatch, door, or opening may 
be located anywhere there is a solid line. 
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CANDIDATE CONFIGURATIONS 



1C/P 1 CREW/ PASSENGER COMPARTMENT 

F C~| CREW COMPARTMENT 

[ P 1 PASSENGER COMPARTMENT 
^ AIRLOCK 


Figure 4.2-2. Candidate Orbiter Configurations 


4.2.2 Orbiter Compartmentation Analysis 
4. 2.2.1 Operational Options 

The operational options available for all emergency situations are shown, 
together with their applicability to the specific orbiter configurations, in 
Figures 4 . 2-3A through Figure 4.2-3G. The single option, which is universally 
available for all emergencies is to "take the risk". A program decision not 
to accept the safety recommendations implies that the risk associated with 
the emergency is being taken. 

Within the operational options available to cope with a fire/toxic environ- 
ment, the requirement to extinguish the fire, purge the atmosphere, and return 
to the affected compartment is fundamental, to all, as shown in Figure 4.2-3A. 

The underlying rationale for the commonality is that inability to extinguish 
the fire would be a catastrophe, and the inability to purge the atmosphere 
and return to the affected compartment would result in loss of the mission. 

Only the fire isolatable compartment option is compatible with the single 
compartment configurations. The fire isolatable compartment, as applicable 
here, means that it is capable of isolating the atmosphere within the com- 
partment from the smoke, fumes, heat, or otherwise toxic environment generated 
within the affected compartment. The primary means for accomplishing this 
isolation is envisioned to be through creation of a small positive delta 
pressure in the isolat&bla compartment relative to the affected compartment 
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COMPATIBLE 

CONFIGURATIONS 

1 2 3 4 5 6 7 



X X X X X 


X X X X X X X 


* ISOLATES ATMOSPHERE, BUT NO SIGNIFICANT Ap CAPABILITY 

Figure 4.2-3A. Options - Fire/Toxic Environment 


which could be produced by a slight venting to space capability of the 
affected compartment. Two areas which affect venting capability are of major 
concern, however, with this approach. These are the capability to dissipate 
the generated heat of a fire, and the prevention of excessive pressures due 
to this heat. An examination, documented in Appendix A, into the heat and 
pressure produced by a fire within a given volume disclosed that these para- 
meters are far beyond practical structural limits if all the oxygen in a given 
mixed atmosphere volume, approximating that of a sortie module, is used to 
support combustion of an unlimited quantity of combustible material. The 
amount of combustible materials, in terms of total Btu's, within a pressurized 
volume should, therefore, be controlled within predetermined acceptable limits. 

An explosion has but one option as indicated in Figure 4,2-3B, for the 
single compartment configuration; to rescue the injured, deal with other 
effects which can be any of the other credible emergencies, and to abort. 

With two compartment configurations, the injured can be evacuated to the 
second compartment, and a decision made as to whether to return or abort. 


EXPLOSION 


A. 


RESCUE & EVACUATE 


INJURED 

i 
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RESCUE INJURED 


ABORT 


EMERGENCY EVACUATION 


COMPATIBLE 
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A. 
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COMPARTMENT 


ABORT 


Figure 4.2-3B. Options - Explosion and Emergency Evacuation 
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Emergency evacuation to a pressure isolatable compartment is required 
to cope with situations which may require evacuation of a compartment in 
order to safeguard personnel from risks of an impending emergency. This 
option is not compatible with the single compartment configurations , there- 
fore, the risk of this emergency occurring must be taken for these configura- 
tions . 

The options available to cope with loss of pressure are many and complex, 
as can be seen from Figure 4.2-3C. All options, however, employ one or more 
of the same basic parameters; suits for crew, suits for crew and passengers, 
passenger abort in crew compartment, or passenger abort in passenger compart- 
ment. Sufficient time is available (2-8 minutes) to evacuate the depressurized 
compartment, and seek refuge in an adjoining compartment in a shirtsleeve 
environment. It is also assumed that the crew in all cases must ultimately 
return to the crew compartment to effect an abort. Thu options are segregated, 
for each configuration, into those which are applicable to a depressurized 
crew compartment and those which apply to a depressurized passenger compart- 
ment. Configuration airlocks are assumed to be 2-man airlocks and are used 
only as an airlock to transfer the crew IVA from a pressurized passenger com- 
partment to a depressurized crew compartment. 




A. 

B. 

C. 

D. 

E. 


COMPATIBLE 

CONFIGURATIONS 

1 2 3 4 5 6 7 



P 

ISU 




i 


* PASSENGER COMPARTMENT (PC) DEPRESSURIZED 
** CREW COMPARTMENT (CC) DEPRESSURIZED 


X X X X X 

X X 

X X X X X 

X X X X X 

X X X X X 


Figure 4.2-3C. Options - Loss of Pressure 
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With reference to Figure 4.2-3D, inability to close an external hatch 
upon return from EVA is assumed to be associated only with two compartment 
orbiter configurations or a single compartment configuration with an airlock. 

The premise for this assumption is that this emergency can only occur during 
/ planned EVA and that it is not reasonable from a safety point of view to 
plan EVA from a single compartment orbiter configuration which would require 
all personnel to don suits. It is assumed that, for a single compartment 
orbiter, a portable airlock would be carried in the cargo bay for missions 
in which EVA was planned. Planned EVA from the viable configurations can 
be performed either from an airlock or from the crew or passenger compart- 
ments. However, for those configurations which have an airlock, planned 
EVA is assumed to originate from the airlock. Two fundamental options are 
available to cope with the failure to close the EVA hatch. One option is 
to close redundant airlock hatches which are in series, and the other is to 
re-enter the vehicle via an alternate compartment. While use of redundant 
hatches does not lead to a requirement for "suits for all" for any configura- 
tion, re-entry into the vehicle via an alternate compartment does require "suits 
for all" for the "single compartment with airlock" and "dual compartment" 
configurations. For the configuration in which the crew and passenger com- 
partments are separated by an airlock, a unique situation is presented in 
that during EVA the airlock, the crew and passenger compartments are isolated 
from one another. A hatch failure at this time would require entry into 
either the passenger or crew compartments , each of which is adjacent to the 
airlock. If all passengers are required to be in the passenger compartment 
during EVA, then the most viable option is to enter via the crew compartment. 
This option requires only suits for the two crewmen. 


COMPATIBLE 

CONFIGURATIONS 


1 2 3 4 5 6 7 






* No PUNNED EVA FOR SINGLE CREW/PASSENGER COMPARTMENT 
** PASSENGERS STAY SUITED IN PASS. COMPT. OR SHIRTSLEEVE IN CREW COMPT. 

A SEE TEXT 

Figure 4.2-3D, Options - Failure to Close External Airlock Hatch When 
Returning From EVA (Resulting in Inability to Return From EVA) 
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Complex options are not identified where simple solutions, inherently 
available in the configuration, are available. For example, the "all in 
suits" option is not shown as being compatible with the two compartment with 
airlock configurations for "EVA via airlock" because a simpler solution, 
requiring depressurization of an adjacent compartment, is available which 
does not require suits. 

Inability to open an internal EVA hatch (reference Figure 4.2-3E) to 
gain entry into the vehicle after EVA Is an emergency which is not applicable 
to the single compartment configuration for the same reasons as previously 
discussed for the inability to open an external EVA hatch. In this emergency, 
the crewmen returning from EVA has the capability to enter the airlock, close 
the external EVA hatch, and pressurize the airlock to enable coping with the 
situation in a shirtsleeve environment via a redundant opening mechanism, or 
by use of a second ingress /egress hathc in the airlock compartment. A third 
option, available only to two compartments with airlock configurations, re- 
quires evacuation of one of the two compartments to enable entry by EVA into 
the evacuated compartment. 


COMPATIBLE 

CONPICUXAIIONS 


I 2 3 4 5 6 7 


* 




X X X X X X 


X X . X X X 


A X x X 


* NO PLANNED EVA 
A SEE TEXT 


Figure 4.2-3E. Options - Failure to Open Internal Airlock Batch When 
Returning From EVA (Resulting in Inability to Return From EVA) 
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Many dockings with manned and unmanned orbital elements are planned 
for the orbiter. These dockings can present a unique safety situation if 
the docking hatch on the orbiter cannot be closed to permit undocking and 
separation from the docked vehicle. The options developed to cope with 
this situation (reference Figure 4.2-3F) consider that the docking port 
with docking hatch can be located on the airlock, crew compartment, passenger 
compartment, or the integral crew/passenger compartment. Only one option, 
to provide a redundant docking hatch in series, is compatible with all orbiter 
configurations. This option is also the only 'Itemative which provides for 
continuation of the mission for all configure cions. A docking port/hatch on 
the airlock also enables continuation of the mission for all airlock con- 
figurations except the configuration in which the passenger and crew compart- 
ments are separated by the airlock. Mission abort would be required for 
this configuration because the de-pressurized airlock would separate the 
crew and passenger compartments. Placement of the docking port/hatch on an 
airlock or on the passenger compartment are the only options available which 
permit coping with this situation in a shirtsleeve environment, and as such 
do not introduce a requirement for suits for crew or passengers. 
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Figure 4.2-3F. Options - Failure to Close Docking Hatch Before Undocking 

(Resulting in Inability to Undock) 


105 


SD 72-SA-U094-2 







Space Division 

North American Rockwell 


Emergency EVA may be required to perform a visual inspection of external 
structures, subsystems, or equipment, or otherwise to ascertain and/or effect 
the best course of corrective action available to cope with certain emergency 
situations. 

An example of such an emergency situation would be where a module, 
docked to an airlock equipped with an EVA ingress /egress hatch on the 
docking port, cannot be undocked and is blocking EVA egress for investigation 
and corrective action. 

The options available to cope with the situation of inability to open 
an EVA hatch when emergency EVA is required are shown in Figure 4.2-3G 
and encompass alternatives of suits for all, a backup EVA hatch in the com- 
partment used for EVA, or use of one of two compartments as a backup EVA 
airlock in two compartment/airlock configurations. 
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Figure 4.2-3G. Options - Inability to Use Docking Hatch f r r EVA When EVA 
Required (Because of Obstruction, When Emergency EVA Required) 


The basic requirement, however, originating from this emergency, and 
inherent in all options is that two EVA ingress/ egress paths are required. 
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4. 2. 2. 2 Major Safety Requirements 

The multitude of options available to cope with each emergency lead to 
different sets of requirements for each compatible orblter configuration. 
These requirements are identified, correlated to the originating emergency, 
and grouped in accordance with their applicability to each orblter configura- 
tion. A logical reduction of the grouped requirements is made to arrive at 
a recommended minimum acceptable set for the configuration. This process 
is illustrated and documented in Figures 4.2-4A through 4.2-4D. 

Hatch requirements are an Important consideration but are not major 
configuration drivers and, therefore, all hatch requirements relative to the 
parameters of location, dual opening (hatch within a hatch) or dual closing 
(back to back) are consolidated under the column titled "Hatch Requirements". 
Reference is made to the previous options section for detailed hatch require- 
ments. 

These charts contain sufficient information to ascertain the impact 
on vehicle configuration of the elimination of one or more requirement 
options. If, for example, eight psl suits were eliminated as a viable 
requirement option on the two compartment with airlock orblter configura- 
tions due to a programmatic decision, the remaining viable alternatives 
could readily be determined, as shown by Figure 4.2-4E. The remaining 
viable alternatives encompass suits for all, capability to perform an abort 
in a vacuum environment, passenger abort in suits, and passenger abort in 
the crew compartment. The viable requirement nets resulting are suits for 
all (3.5 psi) with passenger abort in suits, or shirtsleeve passenger abort 
in the crew compartment. The capability to i rform an abort in a vacuum is 
common to both sets of requirements. From the safety point of view the 
latter alternative in which the passengers are aborted in a shirtsleeve 
environment is preferred. 

I 

A summary of the recommended requirements for all seven candidate 
orblter configurations is shown in Figure 4.2-5. Only one configuration, 
the two compartment with an airlock in between, is identified as not accept- 
able because a problem in the airlock can isolate the passengers from the 
crew compartment. 

Five basic options were identified for comparing the configurations to 
arrive at relative safety ratings. These relate to the number and type of 
suits; whether IVA or EVA is required to effect transfer of personnel to the 
crew compartment in the event of an emergency; and whether a refuge compart- 
ment is available. These five options are: 
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Figure 4. 2-4 A. Major Safety Requirements, Crev/Passenger Compartment Only 
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Figure 4.2-4C. Major Safety Requirements, Separate Crew and Passenger Compartments 
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Figure 4.2-4D, Major Safety Requirements, Separata Crew, Paaseager and 

Airlock Compartments 
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Figure 4.2-4E. Effect of Eliaining 8 psi Suits 
(Reference Figure 4.2-4D) 



Figure 4.2-5. Summary of Recoamended Requirements 
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Option 

Pressure Suits 
Quantity Type 

Transfer Mode 
to Crew 
Compartment 

Refuge Compartment 
Available 

A 

All 

8 psi 

N/A 

No 

B 

2 

8 " 

N/A 

Yes 

C 

All 

3.5 " 

IVA 

Yes 

D 

2 

3.5 " 

IVA 

Yes 

E 

2 

3.5 " 

EVA 

Yes 


A comparison of the configurations, using these options, as primary parameters, 
is shown in Figure 4.2-6. An additional parameter, that of reaction time, 
is introduced to signify the amount of time available to react to the cred- 
ible emergencies. Seven (7) minutes corresponds to the time required for 
obtaining access to and donning 8 psi suits. Two (2) minutes i.s that time 
required for personnel to evacuate, in a shirtsleeve environment, an affected 
compartment and seek refuge in the adjoining compartment. 

The safety ratings as listed are based on the reaction time and avail- 
ability of a rescue compartment. Options which result in minimum reaction 
time and exhibit a rescue compartment are most favorable. The acceptable, 
good, and best ratings apply to the combination of a particular configuration 
and the number and type pf p require Suits carried pn^boqrd. The ratings 
are based on the resulting capabilities' of the configuration/suit combina- 
tions, as follows: 


Safety Factor 


Reaction 

Refuge 

Safety 

Time 

Compartment 

Ratine 

7 mins 

No 

Acceptable 

7 mins 

Yes 

Good 

2 mins 

Yes 

Best 


The acceptable and good ratingc are applicable to Options A and B and 
are distinguished by the availability of a refuge compartment. Configurations 
for which the acceptable rating applies (therefore. Configurations 1 and 2 - 
Option A) do not have a refuge volume and, therefore, require a minimum of 7 
minutes of reaction time for all personnel to locate and don 8 psi suits. If, 
however, a refuge volume is available as is required by Option B, passengers 
may egress to it and be afforded a safe haven within 2 minutes. Therefore, 
since an additional margin of safety is provided by Option B over Option A, 
Option B is given a "good" rating. 
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I PRESSURE SUITS 

SAFETY FA 

CTORS 

SAFETY 

CONFIGURATION 

OPTION 

QTY. 

TYPE 

REACTION TIME* 

REFUGE COMPT. 

RATING 

1-1 C/ P 1 

A 

ALL 

8 PSI 

7 MINS 

NO 

ACCEPTABLE 


A 

ALL 

8 PSI 

7 MINS 

NO 

ACCEPTABLE 

3. C P 

B 

2 

8 PSI 

7 MINS 

YES 

GOOD 


C 



2 MINS 

YES 

BEST 

QEgijgHI 

D 

1 

2 

3.5 PSI 

2 MINS 

YES, IF ACCESSIBLE 

POOR ** 


B 


8 PSI 

7 MINS 

YES 

GOOD 

C 


3.5 PSI 

2 MINS 

YES 

BEST 


D 

2 

3.5 PSI 

2 MINS 

YES 

BEST 


B 

2 

8 PSI 

7 MINS 

YES 

GOOD 


C 

ALL 

3.5 PSI 

2 MINS 

YES 

BEST 


E 

2 

3.5 PSI 
(EVA) 

2 MINS 

YES 

BEST 

7 -.CEh P| 

D 

2 

3.5 PSI 

2 MINS 

YES 

BEST 


* REACTION TIME TO ACHIEVE SAFETY: 7 MINS TO DON SUITS; 2 MINS TO EGRESS TO REFUGE COMPT 
“AIRLOCK PROBLEM CAN PREVENT ACCESS TO CREW COMPARTMENT 


Figure 4.2-6. Comparison of Conf . ,;uration% 

Only one configuration, that which was not previously recommended, is 
rated as poor. This configuration, in which the crew and passenger compart- 
ments are separated by an airlock, can result in isolation of the crew and 
passenger compartments if an airlock problem is er countered. 

4.2.3 Conclusions and Recommendations for Baselir e Orbiter Configuration 

The safety conclusions and recommendations for the baseline orbiter con- 
figuration (Figure 4.2-1) involve compartments Lion , suit provisions, airlock 
sizing, EVA ingress/egress, and operational and subsystems capability. These 
are: 


• Quick-donning pressure suits which do .tot require prebreathing 
(8 psi suits) should be provided for all on-board personnel. 
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• The crew/passenger compartment should be divided into two sections 
by a partition which can exclude smoke and fumes , and can provide 
protection against excessive heat from a fire. Pressure build-up 
beyond the capability of the partition can be provided by suitable 
pressure relief valves in each section. These sections can provide 
temporary refuge until corrective measures can be taken. 

e All equipment required for return to earth should be capable of 
operating in a depressurized environment, and of being operated by 
the crew in pressure suits. 

e Capability should be provided for returning from EVA directly into 
the crew/passenger compartment. 

• Provided the above recommendations are implemented, the airlock is not 
required for safety purposes. It should be available, possibly as a 
payload item, or missions for which EVA is planned. 

• If the airlock is capable of accommodating all passengers in 
emergency shirtsleeve conditions through deorbit and entry, then 

8 psi suits are required only for the orbiter crew on those missions. 

The passengers have time to return to their seats for landing after 
reaching low altitudes. 

4.2.4 Configuration With Large Airlock 

The airlock requirements for performing EVA are that the airlock be sized 
to accommodate 2 men in pressure suits with portable life support systems 
(PLSS) . Such an airlock is likely to be large enough to accommodate 4 and 
possibly 6 men in shirtsleeves. 

The airlock for the baseline orbiter which resulted from the Phase B study 
is even larger than this requirement. It is a sphere of 2.4 m (8 ft) diameter, 
intercepted by the flat harches. As shown in Figure 4.2-7, this airlock can 
accommodate at least eight men in hammock type of supports under emergency 
shirtsleeve conditions. Enough room is available for four more men, if 
desired, making a total of 12 men in the airlock. 

Such a large airlock can be used as a second compartment in the event 
of an emergency. In addition to being sized for two crewmen with PLSS, it 
must be capable, in an emergency, of supporting all passengers in a shirtsleeve 
environment through deorbit and reentry. This may require in excess of six 
hours life support capability in the airlock for return to CONUS (Continental 
U.S.A.) landing sites. The capability to land with the passengers in the 
airlock is not required because the passengers can return to the crew/ passenger 
compartment to their respective (or makeshift) landing positions after the 
orbiter re-enters the sensible atmosphere and the cable is repressurized to a 
habitable environment. Passenger egress from the airlock could occur at 
approximately 4500 m (15,000 ft) altitude, 4 minutes prior to landing. Specially 
sized inward bleed valves on the crew/passenger compartment are required to 
ensure an adequate repressurization rate. 
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Two pressure suits only are required in this case, for use by the crew- 
men. These must be quick-donning 8 psi suits, which do not require any pre- . 
breathing. The airlock cannot be used for getting into the suits, as the air- 
lock hatch cannot be opened when shirtsleeve passengers are inside it and the 
atmosphere in the orbiter has been lost or contaminated. The two suits should 
therefore be kept in the crew/passenger compartment, not the airlock. 

It is estimated that the time required to done the suits is 7 minutes, or 
equivalent to the time available in a shirtsleeve environment to cope with 
pressure loss through a one- inch diameter hole. Additional reaction time can 
be gained by employing flood flow control, which replaces the atmosphere at 
approximately the same rate at which it is being lost, to maintain the atmos- 
phere at the minimum acceptable pressure level. 

An operational option which is available with this configuration, but 
which is not recommended as the normal emergency procedure, is for all per- 
sonnel, including the two crewmen, to evacuate to the airlock. Flood flow 
control is then don their suits in the airlock. Flood flow control is then 
employed to repressurize the crew/passenger compartment, which may have been 
totally evacuated to space, to at least 8 psi. After equalizing the airlock 
pressure to that of the crew/passenger compartment, the crew egresses and 
either repairs the leak or performs an abort. This option allows the crew a 
significantly greater amount of time to don their suits, but involves a time- 
critical operation in opening and closing the hatch. It also permits rescue 
of all personnel by means of a rescue orbiter (if available) docked to the 
airlock, if the leak in the crew/passenger compartment exceeds flood flow 
capability. Parametric charts involving flood flow capability are included 
in the appendix of this report. 
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For missions In which EVA is planned as part of the normal mission , 
pressure suits must be carried for all the passengers, as well as for the 
two crewmen and the EVA men. These are required in case an airlock malfunc- 
tion does not allow repressurization of the airlock (e.g., the external hatch 
cannot be sealed). The crew and passengers then don their suits, the crew/ 
passenger compartment is then depressurized, and the EVA men can enter. These 
additional suits may be much simpler than EVA or IVA suits, as no activities 
are to be performed in them. If the EVA men plan to red-line their oxygen 
supply to maintain a few hours reserves by the time they return, these addi- 
tional suits can be 3.5 psi suits which require perhaps two hours of pre- 
breathing before reducing to the operating pressures. Otherwise, they should 
be 8 psi suits. 

4.2.5 Alternative Orbiter Configuration 

An alternative safety approach for the orbiter is shown in Figure 4.2-8. 
This configuration is similar to the baseline with the exception that the for- 
ward located airlock is eliminated with its volume being absorbed into a 
single habitable compartment; and special design requirements are imposed to 
use the floor of the crew compartment to deal with a fire or atmospheric con- 
tamination. 



Figure 4.2-8. Alternative Safety Approach for Orbiter 
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The recommended approach for coping with a fire/toxic environment for 
this configuration is considerably different from that recommended for the 
preferred configuration. In order to isolate the crew/passengers from a 
fire/toxic environment in the passenger area, all personnel must egress to 
the crew area where they are afforded protection by smoke-tight floors and 
doors, and a slightly greater pressure iri the crew area with respect to the. 
passenger area. Sufficient venting must be provided in the passenger area 
to limit excess temperatures and pressures within tolerable bounds. 

In the event of a fire/ toxic environment in the crew area, the procedure 
is to evacuate to the passenger area, with the pressure being adjusted to 
prevent smoke, etc. entering the passenger compartment. Fire-fighting and 
purging provisions are required in both areas, as for the baseline configur- 
ation. 

The equipment required for return to earth must be capable of operating 
and being operated in a depressurized condition, as for the baseline configur- 
ation. 

Pressure suits (8 psi) must be carried for all on-board personnel for 
all missions. Loss of pressurization within the compartment requires ill 
personnel to don their suits, which takes approximately 7 minutes, the men 
helping each other in pairs to don suits. Other recommendations relative to 
loss of pressure are identical to those previously discussed for the preferred 
configuration. 

A portable airlock can be located in the cargo bay for those missions in 
which EVA is a planned activity. Since suits are provided for all, however, 
emergency EVA can still be performed from the crew/passenger compartment. 

A redundant EVA hatch is recommended, as in the preferred configuration. 
4.2,6 Ideal Orbiter Configuration 

An ideal safety configuration is one in which safety is inherent in the 
configuration, not through subsystems or time-consuming complicated procedures 
which may integrally involve personnel. The foremost objectives of such a 
configuration are (1) to de-sensitize the vehicle from the potential effects 
of credible emergencies, (2) to de-sensitize the vehicle from arbitrary cri- 
teria, such as vent valve sizing, factored into subsystems design resulting 
from a theoretical analysis of the credible emergencies, (3) to minimize the 
time required to safeguard personnel, and (4) to maximize the time available 
to perform corrective action. 

One configuration which ideally satisfies these objectives relative to 
the credible emergencies and effects considered in this task, is ’Shown in 
Figure 4.2-9. The configuration consists of a crew compartment, a passenger 
compartment, a two-man airlock, a docking port, three internal hatches, and 
three external hatches, one of which is a docking port hatch. Two 3.5 psi 
suits are provided for the two crewmen. Requirements Include capability for 
abort with the passenger in the crew compartment, capability for abort 
equipment to operate in a vacuum, and capability abort controls to be 
operatable by men in pressure suits. 
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Figure 4.2-9. Ideal Orbiter Safety Configuration 


In the event of loss of pressurization in the crew compartment , all 
personnel would seek refuge via the hatch/opening between the compartments, 
in the passenger compartment. The two crewmen would then don 3.5 psl suits 
and return, via IVA through the airlock, to the crew compartment to effect a 
repair or otherwise perform an abort. Conversely, loss of pressure in the 
passenger compartment would require all personnel to egress to the crew com- 
partment and abort in this compartment if repairs, via IVA, could not be per- 
formed to restore a habitable environment. 


The airlock, in addition to providing IVA capability between these 
compartments, permits emergency EVA to be accomplished while a vehicle is 
docked to the docking port on the passenger compartment. This emergency EVA 
capability would also be provided with no change in the capability of the 
configuration if the docking port and the emergency EVA hatch were interchanged. 
Emergency controls, including those for extinguishing a fire and for venting 
to space and re-establishing a habitable environment in either compartment , 
are located in the airlock. 

An emergency in the crew compartment which inhibits return to the com- 
partment or which results in inoperative abort equipment or controls would 
require abandonment of the vehicle via a rescue vehicle. The rescue vehicle 
must be capable of rescuing all personnel, or life support, capable to sus- 
taining excess personnel until the next rescue vehicle is available, must be 
provided in the passenger compartment or delivered by the initial rescue 
vehicle. 
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4.3 SAFETY ANALYSIS OF SORTIE MODULE CONFIGURATIONS 

Evaluation of the sortie module configurations is involved with the 
effects of the sortie module configuration on orbiter personnel and vehicle 
safety, and conversely with the use of the orbiter as a refuge volume for 
sortie module personnel. 

The sortie module may be unmanned, such as a pallet type, or may be 
pressurized and habitable. A mission which employs a nonpressurlzable, un- 
manned sortie module requires that the orbiter provide the life support, 
living quarters, and experiment monitoring facilities for the experimenters. 
In such a mission, the safety of the experimenters is solely dependent on the 
orbiter internal configuration, candidates of which have been analyzed in the 
previous section. 

Pressurized, manned sortie modules in which experimenters may spend a 
majority of their working, L isure, and sleeping time must be capable of 
coping with the credible emergencies of Section 4.1. 

In this respect, the following analysis has been accomplished not only 
to identify and recommend primary safety requirements for the sortie module, 
but also to understand the relative sensitivity of the sortie module and 
orbiter configurations and the shuttle mission the credible emergencies 
and the resulting safety requirements. 

4.3.1 Candidate Sortie Module Configurations 

Among the many mission classes planned for the shuttle are the sortie 
missions. For these missions, the orbiter will deliver to orbit a sortie 
module which will house and support specialists for experiments and observa- 
tions in earth orbit for from 7 to 30 days. The sortie module or re-usable 
space laboratory, in addition to providing the necessary power supply, 
experiment racks, and observation ports for experiments, will provide living 
accommodations and life support functions which are in excess of orbiter 
capability. 

Although the sortie module may eventually be equipped with systems that 
would permit its separation from the orbiter for independent operations, 
current studies (reference SOAR and RAM) are constrained to consider oniy 
missions in which the sortie module will remain attached to the orbiter. 

This task considers only manned sortie modules attached to the orbiter. 


Two basic sortie module concepts are currently under investigation in 
the *RAM study. One concept considers that all experimenter- living accommoda- 
tions, life and subsystems support (in excess of orbiter capability) and 
experiment functions will be contained within a single payload module. The 
alternate concept places all experiment functions in one module (RAM-Research 
Applications Module) and support functions, such as the living accommodations, 
life and subsystems support, in an adjacent attached module (RSM-RAM Support 
Module) . The latter concept assumes that the Support Module is a general pur- 
pose module capable of supporting many different kinds of experiment modules. 

^Research and Applications Module (RAM) Phase B Study - Contract NAS8-27539 
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These RAM sortie module concepts are shown in Figure 4.3-1 together with 
the MR baseline deployment concept. Airlock (s) are not shown but may be 
located anywhere they are required. The sortie RAM or pay lead module may be 
unpressurized or may be pressurized and habitable. The RAM Support Module 
(RSM) is a pressurized, habitable module and as shown in the figure the RSM 
and sortie RAM are provided with high pressure gas storage bottles around the 
periphery of the end docking port which interfaces with the orbiter. 



Figure 4.3-1. RAM Sortie Module Concepts 


The sortie module configurations selected for evaluation are compatible 
with and encompass the RAM study concepts. Six candidate configurations, 
shown in Figure 4.3-2, consider compartmentation arrangements for up to two 
pressure isolateable volumes, each of which is large enough to accommodate all 
experimenters id the event of an emergency, and a two -man airlock. An airlock 
capable of supporting all experimenters simultaneously would be treated as 
additional volume. 
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Figure 4.3-2. Candidate Sortie Module Configurations 


Numerous operational modes are available, in addition to the NR 
baseline, for deploying the sortie modules for orbital experiments. Three 
primary deployment options which Include both the single and dual module 
concepts and encompass the baseline option (Figure 4.3-3) were identified. 

The first option does not require, for normal experiment operations, any 
deployment mechanism because the module remains in the same position in the 
cargo bay throughout the mission. Option 2 requires a rotatable payload 
handling mechanism (MDAC payload handling concept) as compared to 3, which 
employs a manipulator. The sortie module outline on Option 3 indicates the 
position of the sortie module when attached to the docking port of the base- 
line configuration orbiter. 

Several other options were conceived which were not considered seriously 
because of configurational characteristics which are deemed impractical. 

These are shown in Figure 4.3-4. Option 1 requires two '•adial docking 
ports, one attached near each end of the sortie module. Option 2 requires 
the use of both the rotatable and manipulator mechanisms. Options 3 and 4 
were given consideration in the RAM study but were disqualified as primary 
deployment schemes. 
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4.3.2 Sortie Module Compartmentation Analysis 

The candidate sortie module configurations of Section 4.3.1 were evaluated 
for their capability to cope with selected credible emergencies of Table 4.1-1. 
The selected credible emergencies are those which apply to the sortie modules 
and can lead to compartmentation oriented requirements. They are: 

. Fire/toxic environment 

. Explosion 

. Emergency evacuation 

. Loss of pressure 

. Failure tc open Internal hatch between pressure isolateable 
volumes 

. Failure to close external airlock hatch when returning from EVA 

. Failure to open internal airlock hatch when returning from EVA 

The analysis methodology is similar to that employed for the orbiter in 
Section 4.2 and involves establishing major assumptions, developing operational 
options for coping with the credible emergencies, and evaluating the options to 
arrive at recommended requirements. 

The major assumptions are identical to that employed for the orbiter 
except for the following variances: 

. Airlock compartment for EVA can be VI, V2, or airlock on 
sortie module 

. Achieving safety via EVA from the sortie modules to the orbiter 
is considered a possible option. This is in contrast to the 
orbiter assumptions where for developing orbiter operational 
options, it was assumed that safety would not be achieved by 
performing EVA to transfer from one orbiter compartment to 
another. 

4. 3. 2.1 Operational Options 

The operational options available to cope with the above selected credible 
emergencies are shown for each of the candidate sortie module configurations, 
in Figures 4.3-5A through 4.3-5G. Again, as for the orbiter analysis, an 
option which is universally available for all emergencies is to "take the 
risk". A program decision not to accept the safety recommendations implies 
that the risk associated with the emergency is being taken. A second option 
which is universally available for all sortie module emergencies is to use the 
orbiter for refuge. 
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Three options are available to cope with a fire/toxic e vironment, as 
can be seen from Figure 4.3-5A; to seek refuge in a pressure isolateable 
sortie module compartment in a fire isolateable compartment or in the orbiter. 
Regardless of the option selected, the requirement e^.sts to extinguish the 
fire. Purging of the atmosphere and return to the affected compartment is 
necessary only if passengers are required to abort in the affected compartment 
or if it is required to effect corrective action which if not made could 
affect personnel/vehicle safety during an abort. 



COMPATIBLE 

CONFIGURATIONS 



XXX 



X 


XXX 


X X 



X 


X X 


XXX 


*l8olates atmosphere, but no significant delta~P capability 


Figure 4.3-5A. Options - Fire/Toxic Environment 


A primary concern, common to all options, is that of isolating the 
orbiter from the smoke, fumes, heat, or otherwise toxic environment generated 
within the affected compartment of the sortie module. These effluents can be 
introduced into the habitable volumes of the orbiter via open hatches to 
support the escape of personnel, or via orbiter/ sortie module atmosphere 
exchange loops. 

The only option available (reference Figure 4.3-5B) to cope with an 
explosion for single compartment configurations is to rescue the injured 
personnel and evacuate all to the orbiter. In the dual compartment configura- 
tions, the additional option of seeking refuge in the second compartment is 
available. 

An emergency evacuation, xn which at least minutes of reaction time is 
available, requires that the affect compartment be evacuated. Again, the 
only option available as shown in Figure 4.3-5C, for the single compartment 
configurations is for personnel to egress to the orbiter. Although egress to 
V2 is an option if Vi must be evacuated on the dual compartment configurations, 
this option cannot be considered seriously because of the possibility of 
stranding personnel in V2 if the emergency anticipated in VI does in fact occur. 
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Figure 4.3-5C. Options - Emergency Evacuation 


Loss of pressure can occur in either VI or V2. The operational options 
available to cope with this situation are shown in Figure 4.3-3D, and include 
aborting the passengers in the sortie module in suits within the affected 
compartment, seeking refuge in a second compartment and then either performing 
EVA to the orbiter or performing a shirtsleeve abort within the compartment 
or performing shirtsleeve egress to the orbiter. 
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Figure 4.3-5D. Loss of Pressure 


Failure to open an internal hatch during normal shirtsleeve operations 
results in isolation of personnel in the sortie module, and can lead to a 
shirtsleeve abort in the sortie module, suits for all with EVA to the orbiter, 
and redundant hatches or hatch opening mechanisms as shown in Figure 4.3-5E. 

It is noted that this situation can only occur if the hatches between sortie 
module volumes and between the sortie module and the orbiter are closed at 
some time during the mission. 

The options available to cope with inability to dose an internal EVA 
hatch upon return from EVA are many and complex as can be seen from Figure 
4.3-5F. It is assumed that EVA can be performed not only from the airlock 
but also from VI and V? when an airlock is not available. If an airlock is 
available, then EVA is assumed to be performed from the airlock. Options 
available to all configurations are to abort with the EVA crewmen in the EVA 
compartment or to close a redundant (in series) hatch. Aside from these 
common options, the primary factors involved in the other options include pro- 
visions for a backup EVA Ingress route on the orbiter, IVA to the orbiter or 
to another sortie module volume, suits for all, and egress of non-EVA personnel 
to the orbiter. 
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Figure 4.3-5E. Options - Fail to Open Internal Hatch 
(During Shirtsleeve Operations) 


Of particular note is the sensitivity of continuing or aborting the 
mission to the sortie module configuration. All options which require EVA 
from either VI or V2 result in abort with the single exception of closing a 
redundant (in series) hatch. Loss of either one of these volumes not only 
results in the loss of the volume to perform or support the performance of 
experiments , but can also result in isolating the adjacent sortie module 
volume and personnel in that volume from the orbiter. When EVA is performed 
from an airlock adjacent to the sortie module/orbiter interface as in 
Configurations 2 and 5, loss of the airlock results in isolation of the 
remaining sortie module volumes from the orbiter. However, if the airlock is 
located at the end of the sortie module furthest from the SM/orbiter inter- 
face, loss of the airlock does not isolate sortie module compartments from 
the orbiter or from one another, and therefore, enables continuation of the 
mission for those experiments which do not require use of the airlock. 

The factors associated with the options available for coping with in- 
ability to open an internal EVA hatch when returning from EVA are nearly 
identical to those discussed above for inability to close external EVA hatch 
as can be seen from Figure 4.3-5G. A notable exception is, however, the 
addition of an option which employs a backup EVA ingress route on the sortie 
module. 

4. 3. 2. 2 Major Safety Requirements Options 

The operational options of the previous section are evaluated to arrive 
at major safety requirements applicable for each candidate sortie module 
configuration. 
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Figure 4.3-5F* Options - Inability to Close External EVA Hatch 
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Figure 4.3-5G. Options - Inability to Open Internal EVA Hatch 
(Resulting in Inability to Return SM from EVA) 
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Figure 4.3~5G. Options - Inability to Open Internal EVA Hatch 
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The requirements considered as major are those which have the potential 
of affecting the sortie module configuration and those which involve a 
compartmentation oriented interface with the orbiter. They are: 

. Fire isolation compartment 

. Suits for all 

. 8 psi suits 

. Personnel abort in a vacuum 

. Personnel shirtsleeve refuge/abort in the sortie module 

. Personnel shirtsleeve refuge/abort in the orbiter 

. EVA to/ from the orbiter 

. IVA to /from the orbiter 

. Hatch requirements - These include redundant opening and 
closing mechanisms, redundant hatches such as parallel or 
back-to-back hatches, hatch locations, and whether hatches 
are to be normally open or normally closed. 

The applicability of these requirements as they relate to each candidate 
sortie module configuration and credible emergency is shown in Figures 4.3-6A 
through 4.3-6F. 

An "x" under the column of a requirement indicates that it is applicable 
to the emergency to which it is cross-referenced. A set of requirements, as 
is indicated by "x's" in the same row, are requirements which are dependent 
upon one another to satisfy a given operational option for a given emergency/ 
failure. Multiple sets of requirements, any set of which is sufficient to 
cope with the emergency failure are identified by brackets. 

Reference to Figure 4.3-6A, for example, shows that for loss of pressure 
of a single compartment sortie module; configuration 1, twc sets of require- 
ments are applicable. The first set requires that 8 pel suits be provided 
for all sortie mo^*:le personnel and that the capability be provided to abort 
with the suited personnel in the unpressurized sortie module. The alternate 
requirement is for all personnel to egress to the orbiter and abort with 
the personnel in a shirtsleeve environment in the orbiter. 

The recommended requirements, shown at the bottom of the figures, are 
the minimum requirements necessary to cope with all the credible emergencies. 
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Figure 4.3-6C. Major Safety Requirements - Configuration 3 


Eaergency/Fallure 


Fire /Toxic Envlr 


Explosion 


Emergency Eval 


Loss of Pressure 


Fall to Open Internal 
Hatch 


Fall to Close External 
EVA Hatch 


Fail to Open Internal 
EVA Hatch 



Personnel 

Shirtsleeve 

Refuge/ 

M 

# 

U 

e 

« 

a 

Abort 

44 

•H 

Z 

■H 

44 

m 



ol 


s 


■3 

a 

<1 

u 

*4 

5 

a 



a 


VI V2 


Recoanended 


X • Requirement * - Redundant Opening, Closing; Location 


Figure 4.3-60* Major Safety Requlrementa - Configuration 4 
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Figure 4.3-6E. Major Safety Requirements - Configuration 5 
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A summary of the recommended requirements for all six candidate sortie 
module configurations is shown in Figure 4.3-7. As can be seen from an 
inspection of the chart, only four requirements are involved in the recommenda- 
tion. These are personnel shirtsleeve refuge/abort in the orbiter, personnel 
shirtsleeve refuge/abort in the sortie module, EVA to and from the orbiter, 
and hatch requirements. Of these requirements, only one, the requirement for 
personnel shirtsleeve rescue/abort in the sortie module is not common to all 
configurations. This is because it is peculiar to those configurations in 
which an airlock or a compartment used as an airlock is located between the 
sortie module and the orbiter. Emergencies involving internal or external 
hatches in these compartments during EVA result in isolating personnel in the 
sortie module and require the capability to abort with personnel in the sortie 
module. 
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Figure 4.3-7. Summary of Recommended Requirements 


Also worthy of note is that the hatch requirements which involve redundant 
opening, closing, and locations are applicable only if EVA is performed or 
internal hatches are normally closed. 
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The only requirement which is common to all candidate configurations and 
recommended sets of requirements is that of personnel shirtsleeve refuge/abort 
in the orbiter. The underlying rationale for recommending this all encompassing 
high level requirement is that regardless of the sortie module configuration, 
exit to and refuge in the orbiter is the natural goal for emergencies which do 
not cut off the normal egress path to the orbiter. 

Because implementation of this requirement can significantly reduce or 
eliminate the imposition of other significant requirements on the sortie 
modules, such as fire isolation compartment, suits for all, 8 psi suits, and 
personnel abort in a vacuum in the sortie module, additional attention is 
given in the next section to ensuring availability of an egress path to the 
orbiter, and to controlling hazards which could cut off the egress path. 

4.3.3 Emergency Egress to Orbiter from Sortie Module 

The analysis of 4.3.2 shows that the position of the sortie module on the 
orbiter, or single or dual sortie module configurations are not important 
factors in the safety evaluation. The most important configuration oriented 
safety considerations are ensuring an egress path to the orbiter, and the 
identification and control of hazards which could cut off the egress path(s). 
Three basic configuration concepts, shown in Figure 4.3-8, are available for 
providing emergency egress to the orbiter for an emergency, such as a fire or 
explosion, which has blocked the normal egress route. The first concept 
employs an airlock on the far end of the module. Egress to the orbiter can 
either be by EVA through an EVA hatch on the airlock, or shirtsleeve if a 
docking port were on the airlock and a manipulator were used to undock the 
module, rotate it 180 degrees, and redock it to the orbiter. The second 
concept, which is similar to that employed on the NR Modular Space Station 
modules, uses an internal floor to divide the module horizontally into two 
basic volumes. Access doors (or openings) are provided in the floor at each 
end of the module with sufficient clearance underneath the floor to allow 
shirtsleeve personnel to maneuver to the exit at the orbiter interface and 
egress. 





Figure 4.3-8. Emergercy Egress From Sortie Module 
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The third concept, which requires dual docking ports on both the orbiter 
and sortie module (or equivalent schemes to provide a closed arrangement), it 
the ideal safety configuration since it provides for immediate shirtsleeve 
egress to the orbiter from either end of the module. However, this is not 
considered practical because it is not compatible with current orbiter con- 
cepts which are configured with, at most, one docking port. 

A fire/toxic environment in the sortie module requires at a minimum, as 
in the single compartment orbiter configuration, the capability to vent the 
sortie module atmosphere to space to control the produced heat and pressure 
within acceptable limits, and to contain the smoke, fumes and other toxic by- 
products of combustion to the sortie module by creating a slightly lower 
pressure in the sortie module relative to the orbiter during egress of the 
experimenters to the orbiter. 

An alternative approach to the pressure differential scheme is to provide 
an airlock capable of holding all experimenters simultaneously, between the 
orbiter and sortie module. To rid the airlock of the toxic effluents which 
have followed the experimenters during their escape, the airlock would be 
either purged with a nitrogen/oxygen atmosphere, in which case suits would 
not be required, or vented to space, which requires suits for all experimenters. 

The ideal location for hazardous equipment, such as high pressure bottles 
and cryogenics storage vessels, is on the end of the module which is furthest 
from the orbiter interface. Hazardous equipment placed at the module-to- 
orbiter or module-to-module interface could, in the event of an accident, cut 
off all the egress paths to the orbiter. 

An alternative to cope with any emergency which jeopardizes the safety of 
the orbiter, once all personnel are evacuated from the sortie module, is to 
release or eject the sortie module from the orbiter. 

4,3.4 Consideration of Catastrophic Emergencies 

Consideration of a catastrophic emergency in the sortie module such as 
loss of pressurization within a few seconds leads to consideration of means 
to prevent propogation of the emergency or its effects to the orbiter and its 
crew. One method, proposed by General Dynamics for the RAM program is to keep 
a hatch between the orbiter and sortie module in a normally closed position. 

In particular, the General Dynamics concept calls for an orbiter airlock 
between the orbiter and sortie module. During orbital operations, the airlock 
hatch on the orbiter side is normally closed while the hatch adjacent to the 
sortie module is normally open. This concept is Intended to provide rapid 
egress, via the open airlock hatch, of the sortie module personnel to the 
airlock in the event of a non-catastropic emergency in the sortie module or 
conversely to inhibit or otherwise provide an additional margin of protection 
from, via the closed airlock hatch, the propogation of a catstrophlc emergency 
to the orbiter. 

The airlock also provides via purging or venting, a means to expel the 
contaminated atmosphere which may have followed the experimenters during their 
escape. 
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The following points must also be considered, however, as related to the 
airlock and the normally closed hatch arrangements. 

. The airlock must be capable of supporting all experimenters 
simultaneously. This Is required whether or not the experi- 
menters are In shirtsleeves as they would be If a nitrogen/ 
oxygen atmosphere purging technique were used, or If In suits 
as would be the case If venting to space were employed to rid 
the airlock of a contaminated atmosphere. This requirement to 
support all personnel In the airlock Is In direct conflict with 
all known shuttle studies conducted to date which have considered 
only a two-man airlock. 

. The experimenters are Isolated In the sortie module during use of 
the airlock for EVA. The situation Is further aggravated if a 
problem occurs during EVA which Inhibits repressurization of the 
airlock, or if an unplanned depressurization of the airlock occurs. 

. The emergency "failure to open an internal hatch" is credible only 
for configurations in which hatches are located such that failure 
to open a closed hatch precludes shirtsleeve transfer from one 
pressure isolateable volume to another. The "normally closed" 
hatch concept makes this emergency credible and leads to redundant 
hatch mechanisms, redundant parallel hatches, suited operations or 
to accept the risk. 

. A normally closed hatch between the orbiter and sortie module 
decreased the amount of time available for the experimenters to 
seek refuge from a rapid, but not necessarily catastrophic, de- 
pressurization of the sortie module. An example of the typical 
difference in reaction time available between having an orbiter/ 
sortie module hatch open and closed can be realized by con- 
sidering the effects of a two-inch hole in the sortie module. 

Assuming a volume of 42 m^ (1500 cu ft) for the sortie module and 
66 m^ (2360 cu ft) for the orbiter, approximately one minute is 
available for all experimenters to egress to the airlock and close 
the airlock/sortie module hatch when the airlock/orbiter hatch is 
normally closed. If this hatch were normally left open, exposing 
a total orbiter plus sortie module volume of 108 m^ (3860 cu ft) 
to be depressurized, the available reaction time would be 
increased to approximately three minutes. 

4.3.5 Conclusions and Recommendations 


Conclusions reached from the analysis are: 


* A sortie module consisting of two separate pressurized modules 

does not have any significant safety advantages comnared to a single 
module version. In both cases, the orbiter is available as a separate 
refuge co"mart"*ent. 
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. No safety requirement exists for an airlock between a aortle 
module and an orbiter, provided it is acceptable to abort a 
particular mission if a depressurization or contamination 
problem arises in the sortie module. An airlock between 
orbiter and sortie module could be useful in providing IVA 
maintenance capability in such an. event, but also poses the 
additional risk of Isolating personnel in either vehicle if 
a similar problem arises in the airlock. 

Recommendations made are as follows: 

. The airlock, if provided, should be configured such that 

isolation of the sortie module crew from the orbiter does not 
result during the performance of EVA from the airlock. If 
this is not practical, then the emergency capability to de- 
orbit all personnel in the sortie module or in the orbiter 
should be provided, or the capability should be provided to 
transfer personnel in the sortie module to the orbiter via 
EVA to enable an abort of the mission. 

. A means of emergency exit (dual egress capability) should be 
provided in sortie modules, for example, by a longitudinal 
floor providing independent personnel routes above and thelow 
the floor. 

. Emergency accommodations should be provided in the orbiter 
for all passengers through an abort. 

. A means should be provided to release the sortie module from 
the orbiter. Release is differentiated from ejection in that 
no identified credible emergencies require a reaction time less 
than a few minutes, as Implied by ejection. 
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4.4 SAFETY ANALYSIS OF MODULAR SPACE STATION CONFIGURATIONS 

The NR and MDAC Modular Space Station configurations resulting from 
Phase B studies are evaluated in this section for the inherent means available 
to cope with the credible emergencies of Section 4.1. The normal operations 
of the space station in between resupply operationc are covered in Section 
4.4.2, the space station assembly in Section 4.4.3, and the resupply operations 
in Section 4.4.4. 

The analysis assumes that each of the credible emergencies can occur in 
any of the modular elements and that each modular element and the orbiter, 
when attached to the station, is a pressure isolateable volume compartment. 

The credible emergencies considered lead to a number of basic criteria which 
are used to evaluate the station configurations. 

4.4.1 Candidate Space Station Configurations 

The candidate space station configurations selected for this task are 
those resulting from the NR and MDAC Phase B Modular Space Station studies 
(Figure 4.4-1). Both configurations exhibit the capability to add additional 
core modules along the longitudinal areas to facilitate growth from the initial 
station 6-man capability to a 12-man growth station or a space base. Module 
identification numbers on the figures are indicative of the sequence in which 
the shuttle delivers the modules during the station assembly phase. 

Integrated pressure volume summaries, of the NR and MDAC concepts, which 
identify the primary safety related items of test/isolation, scientific, IVA, 

EVA, contingency, and pressure isolatable volumes in addition to hatch loca- 
tions, are shown in Figure 4.4-2. 

The MDAC station forms an open configuration while the NR station, through 
application of the auxiliary passages to interconnect modules, falls into the 
closed configuration class. The basic difference between the open and closed 
configurations ^s that an obstruction isolates a volume of that element from 
other parts of the station. In a closed configuration, however, a single cut 
through an element (with the exception of the attached solar array power source 
and side mounted module on the NR station) cannot Isolate volumes of the station. 

The MDAC station relies on airlocks on the ends of the radially and end 
mounted modules to provide a refuge haven for the crew in the event of an 
emergency in these volumes. The NR station, however, is divided into two 
basic volumes, each of which is provided with life support and station control 
authority from a pair of diametrically opposed modules encompassing these 
functions. Each volume is capable of operating independently of the other 
volume and of sustaining a crew of six at emergency levels for 48 hours. 

Three shirtsleeve access routes are available on the NR station between 
the two basic volumes as provided by the airlock and the two auxiliary pass- 
ages. IVA between volumes is possible only through the core module airlock. 

EVA, however can be performed not only from the airlock, but also from air- 
locks attached to the ends of the life support modules. 


140 


SD 72-SA-0094-2 



Am Space Divisi ° n 

North American Rockwell 


> 

on 

o 


LU 


CO 

2 


« 

s 

s 


LU 


wgc/> 

fcoo 

>»-a: 




OLu“*</> 

CO 0_ -J(J 

£§SP 

LU>2C0 

$£uzo 

oa: luo 

Q.OUJ 


u 

< 

o 


CS 

O 


• • • • 


5) 


» 
on on 
oo 
h h 
<< 
on on 
oo 

OG CO 



LU 

-I 

O 

o 

2 


uifc^UJ 

0?°nO 

\g-Q-^r 

o==oS 

KojW)(/)k\ 

g|=:'£££§ 

oooititoa 

UQ.UJJOO 


HO, fO^MnsON 


SD 72-SA-0094-2 


Figure 4.4—1. Candidate Space Station Configurations 
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Hemispherical shaped hatches on the MDAC station farm, when two modules 
are docked, a spherical volume capable of accommodating two suited IVA 
crewmen. 

A. 4. 2 Operational Space Station Compartmentatlon Analysis 

During the normal operations of the space station (l.e., in between re- 
supply), the safety of the occupants must be assured by suitable compartmenta- 
tlon and other provisions on the station itself, without reliance on the orblter. 
Examination of the credible emergencies identified in Section 4.1 shows that 
three basic criteria must be satisfied. These ares 

. Dual engress criteria 

. Dual ingress criteria 

. Loss of a module/compartment criteria. 

The rationale for these three criteria and their compliance in the 
reference configurations are discussed below. Also discussed are some addi- 
tional operational safety considerations related to configuration* 

4. 4. 2.1 Dual Egress 

Certain emergencies in a module, such as a fire or explosion, may cut off 
the normal escape route to a survivable area resulting in entrapment of the 
crew within the affected module. The possibility of isolating personnel in a 
compartment in which an emergency has occurred can be reduced if multiple egress 
paths to a survivable area are provided within a habitable compartment. The 
desirability of these provisions, from the safety point of view, lead to the 
dual egress criteria which is stated as; 

. Normally habitable compartments of more than 25 m^ (880 ft^) 
in volume shall have two or more exits into. areas which 
provide for personnel survival. 

The volume below tfiich the dual egress criterion does not apply, 25 m^ 

(880 ft^) , is determined by judgement and is intended to represent the minimum 
compartment volume below which the immediately dangerous space (heat, flames, 
debris) in a credible emergency would prevent crew escape and survival, regard- 
less of the number of egress routes. 

Four conceptual means of satisfying the dual egress criterion for the 
Modular Space Station are available: 

A. Dual shirtsleeve entry/egress inherent in the configuration 

through the interconnection of modular elements in ^closed "ring" 
configuration. 

B. External connecting passages, called auxiliary passages, 
required between proximate modules to provide the second 
shirtsleeve egress path* 
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C. Module floors which provide escape routes above and below 
the floor. 

D. Airlocks with docking capability for rescue by the orbiter, 
or with sufficient suits for EVA escape/rescue, are required. 

These concepts are shown schematically in Figure 4.4-3. 



A. CLOSED RING CONFIGURATION 



B. AUXILIARY PASSAGE 



C. FLOOR IN MODULE 



D. AIRLOCKS ON MODULES 


Figure 4.4-3. Alternate Solutions for Satisfying Dual Egress Criterion 
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Both the NR and MDAC stations can meet the dual egress criterion by one 
or more of the above means as can be seen from Figure 4.4-4. Dual egress 
from the NR core and MDAC crew/operations modules is inherent in the config- 
urations. Auxiliary passages are employed between the support and control 
modules which are docked to the core on the NR station to effect a shirtsleeve 
egress path between the modules. The internal arrangement of the NR standard 
modules also employ as an additional egress safety feature, an internal floor 
which has covered openings not only at the ends, but also at the auxiliary 
passage inlet. While the power module of the NR station and all other modules 
of the MDAC station have only one shirtsleeve egress path into the core or crew/ 
operations module, a second egress path via EVA is possible. EVA may not be 
required from an airlock at the end of a module if a rescue shuttle is avail- 
able and can be docked to the module. However, if a rescue orbiter is not 
available and EVA is required to gain access to the shirtsleeve volume of the 
station, EVA suits must be provided in all modules for all personnel inhabiting 
that module. On either station, normal EVA ingress to a habitable station 
environment would be through another station airlock. Unassisted entry to the 
airlock by the EVA crewmen outside the vehicle could be avoided if other station 
personnel entered the airlock, donned suits, and performed the necessary air- 
lock functions. 

4.4. 2. 2 Dual Ingress 

Emergencies may occur which may result not only in incapacitating personnel 
but also in cutting off the rescue path or opening. Because personnel may be 
injured or incapacitated, the time involved to effect rescue may be a critical 
factor for crew survival, and participation of the injured personnel in the 
rescue operations cannot be assumed. Consideration of these possible effects 
of credible emergencies leads to the dual ingress criterion: 

. Access to two or more shirtsleeve entrances into normally 
habitable compartments of more than 25 m^ (880 ft^) in 
volume shall be immediately available from each of the 
otter normally inhabited compartments. 

Rationale for the volume constraint on applicability of the criterion is 
identical to that previously discussed for dual egress. 

The primary difference between the dual egress and dual ingress criteria 
is that dual egress can be satisfied by 1VA or EVA, while dual ingress can 
only be satisfied, because of time criticality, by shirtsleeve operations. 

The ingress paths available for both subject stations are shown in 
Figure 4.4-5. As shown, an incapacitated crewman in a life support or 
control module docked to the core on the NR station can be reached in a shirt- 
sleeve environment either by the docking port or auxiliary passage openings. 

On the MDAC station, an incapacitated crewman in either end of the crew/ opera- 
tions module, or in a module docked to the crew/ operations module can be 
reached via only one shirtsleeve path and as such does not satisfy the dual 
ingress criterion. The alternate EVA route is particularly disadvantageous in 
this situation in that up to a 3-hour prebreathing period may be required by 
the rescurers, unless 8 psi suits, which require no pre breathing are used, and 
that all airlocks and hatches must be capable of being operated, unassisted by 
the injured crewman, by the EVA rescurers external to the vehicle. 
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Figure 4.4-5, Dual Ingress Criterion 
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4. 4. 2. 3 Loss of a Module/Compartment 

An emergency in a module/ compartment can render life support and station 
control facilities in the module/compartment totally inoperable and unrepair- 
able, or in a less extreme case temporarily Inoperable until repairs can be 
effected. During a time in which a moduje/compartment has lost this functional 
capability, life support and vehicle control provisions must be available to 
suoport personnel in another volume of the station. This support may be 
required until orbiter resupply/rescue is available or until repairs can be 
made. 


This situation leads to consideration of the loss of a module/compartment 
safety criterion which provides for crew survival and vehicle control in a 
redundant survival volume until resupply/rescue/repair can be effected follow- 
ing loss of any pressure isolateable module/compartment. The loss of a 
module/ compartment safety criteria is stated as follows: 

. Capability shall be provided for the emergency shirtsleeve 
survival of all onboard personnel until the next resupply or 
emergency shuttle flight following the loss of access to any 
one module/compartment and the loss of equipment and supplies 
in that module /compartment. If the loss of the module/com- 
partment divides the station into two or more isolated 
habitable sections, then each section shall provide the 
survival capability for all onboard personnel, including an 
available docking port. 

This survival volume can be composed of a pressure isolatable compartment 
within a module, a whole module, or a cluster of modules. The loss of a 
module /compartment criterion is satisfied by the NR station as can be seen 
from Figure 4.4-6. The NR station is divided into two separate pressure 
isolatable volumes by the airlock (AL) on the core module. Each volume is 
serviced by two separate modules which provide crew habitability, life 
support, and vehicle control. Entry back into a depressurized volume from 
the survival volume would normally be accomplished by performing IVA through 
the core module airlock. However, if the station is in a configuration where 
airlocks have been attached to the ends of the modules containing the Environ- 
mental Control and Life Support Systems (EC/LS), EVA may be accomplished to 
gain entry into the depressurized volume; however, this requires that all air- 
lock functions and controls on the affected volume be operable by the EVA 
crewmen external to the vehicle. 

On the MDAC station, the separate volumes of the crew/ operations module 
and the general purpose laboratory serve as survival vo‘ mes for one another. 
Access between these two modules, should one become depressurized, would be 
through a spherical IVA airlock formed by the hemispherically shaped hatches 
of each module at their docking interface. 
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The modular arrangement does not, however, satisfy via a shirtsleeve 
environment, the part of the loss of a module/compartment criterion which 
deals with division of the station into two or more isolated volumes. As can 
be seen from Figure 4.4-6, a potential hazard with this modular arrangement 
is that loss of the crew/operations module could isolate the crew in separate 
modules if, for example, personnel were working in the power/ sub systems module, 
cargo module, or a module or cluster of modules docked to the end of the crew / 
operations module. The only modes available to reunite the crew would be for 
stranded members to perform IVA through the crew/operations module using the 
hatch formed airlocks or to perform EVA to gain access to the general purpose 
laboratory through its end located internal airlock. Either return mode is 
disadvantageous in that it requires storage and dispersement of IVA/J2VA suits 
and critical equipment and supplies throughout the vehicle. 

4. 4. 2. 4 Other Operational Considerations 

Among the safety issues emerging from the Modular Space Station studies 
are (1) whether interior hatches should normally be left open or closed, and 
(2) whether the number of crewmen in a given area at any one time should be 
restricted. 

Although the hazards analysis performed in consonance with this task has 
resulted in specific requirements which relate to the above issues, a discussion 
of the issues as they relate to station compartmentation is given in the 
following sections. 

Interior Hatcl/^Status 

In addressing such safety issues as whether interior hatches should 
normally be open or closed, the tradeoff decision can best be reached by 
comparing requirements for hatch usage imposed by potentially hazardous 
situations. The baseline station model assumes the primary escape route from 
station modules is via the berthing port hatches into the core module. In the 
event the primary path is blocked, a secondary route (cargo module excepted) 
is provided via an auxiliary port passage. Considerations such as potential 
difficulties in opening hatches against pressure differentials and the com- 
plexity of pressure equalization valving are the principal drivers favoring 
a "hatches normally open" policy. Advantages of keeping hatches closed are 
(1) fewer hatches to close in emergency, and (2) minimum exchange of atmosphere 
between volumes. Bearing in mind that auxiliary passage hataches only have to 
be used in emergency, and even then the normal exit is via the berthing hatch, 
tends to favor auxiliary passage hatches being closed. It is pointed out that 
some contingency situations would impose both an opening and closing action on 
the crew. There appears to be no strong driver for keeping hatches closed 
since no more than two hatches require closing in order to isolate a module, 
or three hatches to isolate a pressure volume. Since no credible situation to 
date has shown a requirement for crew evacuation in seconds rather than minutes, 
a "hatches normally open" policy is recommended. A decision to keep hatches 
open or closed is a reversible one, subject to change after operational 
experience. 
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Crew Size in One Area 

In addressing the safety issue of the number of crewmen allowed in one 
area, the maximum crew congestion is most likely to occur in the dining/ 
recreation area of either the NR or MDAC station and, as such, represents a 
worst case condition for crew evacuation following an emergency. Total crew 
assembly at one location should not in itself cause undue concern, except in 
areas where personnel escape routes are restricted; e.g., cargo modules, RAM’s, 
etc. In all areas where maximum crew congestion is likely, special considera- 
tion should be given to locating potentially hazardous equipment such that crew 
exposure to risk is minimized. On the NR station, relocation of H 2 end 0£ 
accumulators from immediately below the dining/recreation area (SM-3) to a 
location outside the habitable environment is one example. 

4.4.3 Space Station Assembly 

A different situation occurs during assembly of the space station. At 
this time the configurations of the space station are not complete, and all 
subsystems are not necessarily functioning. On the other hand, the shuttle 
orbiter is always present and attached (in the assembly operations defined in 
the Phase B studies) during manned operations on the space station. Because 
of these differences, the three basic criteria established in 4.4.2 must be 
re-evaluated and modified as necessary, and the implications of applying them 
determined. 

The configurations of the space station and orbiter during the assembly 
operations are shown in Figure 4.4-7 for the NR station, and in Figure 4.4-8 
for the MDAC station. These assembly operations are as defined in the space 
station Phase B final reports, but are regarded as typical only for purposes 
of this study. Variations, such as which docking port the orbiter is attached 
to, or even the order in which modules are brought up, are not expected to 
affect the results derived here. The assembly phase is assumed complete when 
the configuration of the station allows safe manned occupancy of the space 
station without the orbiter being present. 

The terms VI, V2, V3, etc., in these figures indicate the separately 
pressurizable compartments available at each assembly stage. Airlocks are 
indicated by the letters "AL". 

Also shown in these figures are the potential shirtsleeve egress paths 
from each module in the event of an emergency at each stage of assembly. These 
become the prime configuration oriented safety concern during assembly, and are 
discussed below under each of the three relevant criteria. 

4. 4. 3.1 Dual Egress during Assembly 

The rationale for requiring dual egress during assembly is exactly the 
same as during normal operations, and the criteria remains unchanged; i.e., 
normally habitable compartments of more than 25 m^ (880 cubic feet) in volume 
shall have two or more exits into areas which provide for personnel survival. 
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Figure 4.4-7. Egress Paths During Assembly of NR Modular 
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Examination of Figures 4.4' 7 and 4.4-8 shows that this criterion cannot 
be met in all compartments in every stage of assembly. In particular, difficulty 
arises with the "end" compartments of modules, since these do not lead to a 
habitable area. These compartments must therefore not be regarded as "normally 
habitable" during assembly. Three possible courses appear feasible for dealing 
with these compartments: 

* Restrict shirtsleeve access to such compartments during 
buildup 

* Allow access, but only after potentially hazardous equip- 
ment has been checked out, and for short time periods only 

* Allow access only, in pressure suits, and have EVA escape 
capability in the compartment 

On the NR station the criterion can be met in each module only after the 
configuration is "closed" by the auxiliary passages between adjacent modules, 
as shown in Sketch D of Figure 4.4-7. 

On the MDAC station, Figure 4.4-8, the criterion can be met on the initial 
launch when the power module is pressurized. The power module can be used as 
a temporary refuge area from which the orbiter can rescue the personnel, or 
from which EVA can be performed. This assumes, of course, that the module is 
large enough to accommodate all on-board personnel. If the pressure in this 
module is allowed to decay, and is is therefore not available for immediate 
refuge, the earlier remarks about restricting access to the "end" compartment 
apply to the MDAC station, as well. 

The MDAC concept does allow two additional options, however, which would 
make every compartment meet the criterion. These are: 

* Maintain the power module as a pressurized refuge volume 
during manned assembly operations 

* Provide rapid pressurization capability on the power module 
4. 4. 3. 2 Dual Ingress during Assembly 

The rationale for dual ingress is also unchanged during assembly, and 
the criterion remains: 

* Two or more entrances into normally habitable compartments of 
more than 25 m3 (880 cubic feet) in volume shall be shirtsleeve 
accessible from each of the other normally inhabited compart- 
ments . 

Visual inspection of Figures 4.4-7 and 4.4-8 shows that this criterion 
cannot be met during assembly on either the NR or the MDAC space station. 

Only when the configuration becomes "closed" in the NR station can this cri- 
terion be partially met. Since the intent of this criterion is to allow for 
multiple internal rescue paths to each compartment, it is particularly desirable 
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to have two or more Immediate (i.e., shirtsleeve) access routes from the orbiter 
to. each compartment. This is obviously a virtually impossible requirement to 
meet with current docking concepts. 

Steps which can be taken to improve the situation include the following: 

* Use the "buddy" system during assembly operations, so that 
each man can help the other in case of a minor accident 

* For operations in known hazardous areas, potential rescue 
personnel may be stationed in safe adjacent areas 

4.4. 3.3 Loss of Module/Compartment during Assembly 

During manned assembly operations the orbiter is attached to the space 
station. It is immediately available as a refuge in case of loss of a module 
or compartment on the space station, and as an escape vehicle for return to 
earth, if needed. The intent of the criterion defined in Section 4.4. 2.3 is 
not applicable in this situation. It is no longer necessary to provide for 
long-term survival, but only for rapid access to the orbiter or to a short- 
term survival area on the station which can be promptly reached by the orbiter. 

The criterion is therefore replaced by: 

* During manned space station assembly operations, loss of any 
one compartment/module shall still allow immediate access of 
all on-board .personnel to the orbiter or to an independently 
pressure isolateable volume from which the on-board personnel 
can transfer to the orbiter either shirtsleeve, following 
orbiter redocking, or by EVA. 

Inspection of Figures 4.4-7 and 4.4-8 shows that this criterion can be 
met in both stations at all stages of assembly. Since the loss of the module 
or volume is considered to allow a few minutes of reaction time (see Table 
4.1-2) » this means that even if the affected volume is positioned between 
the personnel and the orbiter, they still have time to pass through it to the 
orbiter. Even if the loss occurs suddently, however, and the affected module 
cannot be traversed, the configurations are all such that a temporary refuge 
area can be provided by closing off one or more hatches, and that this area 
has available an accessible docking hatch to which the orbiter can transposi- 
tion and dock. 

No problems are therefore expected from this criterion. 

4.4.4 Space Station Resupply 

During the resupply of the space station by an orbiter, two significant 
differences occur from the normal operation of the station (i.e., between 
resupply) . 
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. If the orbiter is changing the station crew, up to twice the normal 
crew complement may be present, in addition to the orbiter crew. 

. The orbiter is present and is available as an additional refuge 
area, as well as m escape vehicle. 

The first of these considerations is basically taken care of by the 
additional life support and volume provided by the orbiter and if needed a 
rescue shuttle and thus poses no additional safety issue. 

Similarly, the second consideration shows an Improved safety compared 
with the station ouiy (which has inherent safety in itself) or with the 
statlon/orblter combination (which provides the immediate escape or rescue 
capability. The resupply situation therefore has the safety advantages of 
both these situations, and the disadvantages of neither. 

No further analysis of the resupply situation is therefore considered 
necessary. 

4.4. *> Conclusions and Recommendations 


The following conclusions are made based on the analysis of section 4.4: 

. A two-pressure volume configuration, such as provided in the NR 
design, provides maximum operational flexibility (e.g., mission 
continuation) in the event of an accident in any one module. 

Adequate safety can, however, be provided without a two-volume 
arrangement, but loss of any one module (temporary or permanent) 
Interrupts the mission and may need complex orbiter rescue opera- 
tions . 

. A ’’closed" configuration which provides at least two independent 
personnel routes from any one module to any other, provides safety 
with shirtsleeve operations only. The NR space station design 
provides such a "closed" configuration by providing auxiliary 
passages between modules in addition to the mein passageway 
through the core module. 

. "Open" configurations, such as the MDAC design, rely on airlocks 
and IVA, EVA or orbiter rescue to ensure personnel safety in 
situations requiring emergency evacuation of a module. 

. Special precautions must be taken during spage station assembly 
to assure safety of personnel. These precautions include restrict- 
ing access to station compartments which do not have dual shirtsleeve 
egress, unless the time spent in the compartment is short, poten- 
tially hazardous equipment has been checked prior to entry, EVA 
suits are provided, and buddy system employed. 

. Space station resupply does not present any unusual safety problems 
which require unique criteria, re.^r' aments or solutions. 
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The following recommendations are made based on the analysis of section 4.4: 

. Interconnect all modules through an auxiliary passage to provide 
dual shirtsleeve egress , or where this is impractical, provide a 
floor in the module which provides for independent personnel routes 
Above and below the floor. 

. Design all hatches to be operable from either side to enable 
escape from within or rescue from outside a module/compartment. 

. Interior hatches shall normally be open, with the exception 
of emergew.y egress hatches \rhlch shall normally be closed. 

. Potentially hazardous equipment should not be located in or near 
areas where maximum crew congestion is likely to occur; e.g., 
dining/recreation areas. 

. Potentially hazardous equipment should not be located in the 
vicinity of the module docking Interface. 
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APPENDIX A 

SUPPORTING ANALYSES-HAZARDOUS PAYLOADS 


A. 1 TYPICAL ORBITER ABORT DATA 

Orbiter aborts considered in this task of the study encompassed three of 
five mission phases, and were investigated primarily to provide an estimate 
of the reaction time available to perform emergency payload functions in the 
event of an abort. 

Prelaunch and mated ascent phase aborts were not considered. Data 
relative to an abort during the orbiter solo ascent, on-orbit entry, and 
atmospheric flight/ landing phases are provided below: 

1. An orbiter failure precluding successful orbit injection into a 
93 by 185 km(50 by 100 nm) orbit could result in reentry into the 
sensible atmosphere after a relatively short (about 100 seconds) 
ballistic trajectory. 

2. Three abort mode ions a.e available to the orbiter during the 
orbiter solo ascei.i phase. These are shown below, together with 
estimated reaction times to perform both orbiter and payload con- 
tingency functions: 

a. Continue to or >it - 50 min 7 days 

b. Once around - approximately 50 min 

c. Downrange landing - less than 100 sec 

3. Shuttle cargo bay doors can open in approximately 1 minute. 

4. Maximum Shuttle payload weight during an abort as limited by Shuttle 
entry and landing loads characteristics may require offloading of 
payload fluids, or result in increased risk with a reduction in the 
normal safety factor for an abort situation. 

A. 2 TYPICAL ORBITER CARGO BAY PRESSURE ENVIRONMENT 

The projected cargo internal pressure time histories during ascent and 
rentry are s.town in Figures A-l and A-2. The figures assume that adequate 
venting is provided to limit the pressure differential access the orbiter 
cargo bay to within a structural limitation value of 13.7 x 10^ N/m2 (2 psi). 
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Table A-l. Typical Temperature Limits for the Internal Walls of the Cargo Bay 
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As is shown, the cargo bay is nearly totally evacuated in less than three 
minutes after launch, which is approximately four minutes before orbit 
injection. Therefore, for a normal Shuttle mission, the cargo bay will be 
vented prior to attainment of orbit. 

During re-entry, approxima ely 40 minutes elapse after the de-orbit burn 
before entry into the sensible atmosphere, after which normal atmospheric 
pressure is reached in approximately 20 minutes. 

A. 3 TYPICAL SHUTTLE CARGO BAY THERMAL ENVIRONMENT 

Projected temperature limits for the internal walls of the cargo bay, as 
a function of payload external surface temperature, are shown in Table A-l for 
payload temperatures ranging from -420 °F to +100 °F in. The table assumes that 
the Shuttle utilizes LO 2 and LH 2 propellants with storage tanks in the proximity 
of the cargo bay. 

As can be seen from the table, the low temperature extreme of -420°F on 
the sides, bottom, and ends of the cargo bay can result during the on-orbit 
and entry phases, and also the cargo bay temperature is very sensitive to 
payload temperature. The max.mum temperature of 250°F, which occurs on the 
inside of the cargo bay doors during entry, is insensitive to the payload 
external surface temperature. 

A. 4 UPPER STAGE VEHICLES 

Table A-2 summarizes the main characteristics of the six vehicles con- 
sidered. Figures A-3 through A -8 show the salient features and configurations 
of these vehicles. The last figure shows one possible configuration of the 
00S or tug and should be regarded as typical only. 


Table A-2. Main Characteristics of Upper Stage Vehicles 


Name 

Manufact- 

urer 

Engines 

Total Thrust 
KN, (Klb) 

Main Engine 
Propellants 

Diameter 

(ft) 

Length 

(ft) 

Agena 

Lockheed 

1 

71(16) 

UDMH § IRFNA 

1.5 (5) 

6.4 (21) 

Centaur 

GD/Convair 

2 

133(16) 

t M 2 6 L0 2 

3.C (10) 

9.6 (31.5) 

Trans t age 

Martin 

2 

71(16) 

A-50 § N 2 O 4 

3.0 (10) 

4.4 (14.5) 

Burner II 

Boeing 

1 

48(10) 

Solid Propellant 

1.5 (5) 

1.4 (4.5) 

Apollo 

Service 

Module 

North 

American 

Rockwell 

1 

54(21) 

A-S0 § N 2 O 4 

4.0 (13) 

6.9 (22.5) 

Orbit-to- 
Orbit 
Shuttle 
(00S) /Tug 

1 

1, 0 or 4 

67-110 

(15-25) 

LH 2 6 L0 2 

4.6 (15) 

11.0 (36) 
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Primary orbiter operations as related to the deployment and retrieval 
of upper stage vehicles are shown in Table A-3. The operations, which 
are listed in the order in which they occur in the mission, were used as a 
baseline to establish identification of hazardous operations associated with 
upper stage vehicles as orbiter payloads. 

Table A-3. Typical Operations for Orbiter Deployment and Retrieval 

of Upper Stage Vehicles 


DEPLOYMENT 

Maintain orbiter attitude control. 

Mate deployment mechanism to upper stage vehicle. 

Release upper stage vehicle from cargo bay attach points. 

Extend upper stage vehicle out of cargo bay. 

Perform checkout to verify payload integrity for free flight (G&C, RCS, 
electrical, propulsion, R.F. Communications, etc.). 

Perform upper stage vehicle separation from deployment mechanism attach 
points and all other mechanical, electrical, fluid, and hardline 
instrumentation interfaces. 

Damp orbiter separation transients. 

Damp upper scage vehicle separation transients. 

Maneuver upper stage vehicle to safe separation distance from orbiter. 
Perform upper stage vehicle burn and completion of mission 

RETRIEVAL 

Achieve and maintain adjacent station keeping position between the 
orbiter and upper stage vehicle. 

Maintain upper stage vehicle attitude control. 

Maintain orbiter attitude control 
Extend capture mechanism from cargo bay. 

Mate capture mechanism with upper stage vehicle. 

Da: f> mating transients. 

De-activate upper stage vehicle attitude control. 

Dump upper stage vehicle propellants and pressurants. 

Retract upper stage vehicle into cargo bay. 

Secure upper stage vehicle to cargo bay attach points. 

De-mate capture mechanism from upper stage vehicle and stow in cargo bay. 
f : ->se cargo bay doors. 
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Potential hazards vero identified by considering the hazardous elements 
of each upper stage vehicle (Section 4. 1.2.2) and potential failure modes 
as applicable to each operation (Section 4. 1.2. 3). These potential hazards 
are listed 'or each upper stage vehicle in Tables A~4 to A-8 listed by 
mission phase. Because of lack of detailed hardware definition, hazards 
for the OSS/Tug have not been identified in this detail, but the Centaur 
hazards may be regarded as typical of the OOS/Tug. 


Table A-4. Agena/Orblter Hazards 


i 


•f 



1. Transport In the shuttle bay while In parking orbit. 


1.1 Helium tank or line explosion. 

1.2 Nitrogen tank or line explosion. 

1.3 Premature pyrotechnic Initiation. 

1.3.1 Helium valve (s). 

1.3.2 Turbine start solid propellant charge(s). 

1.3.3 Destruct charge (if required). 

1.3.4 Secondary translation solid rockets (if required). 

1.3.5 Payload separation pyrotechnics. 

1.3*6 Forward structure skin panel separation. 

1.4 Oxidizer leak - Corrosive fluid into closed cargo bay. 

1.4.1 Tank. 

1.4.2 Rocket engine start valve. 

1.4.3 Vent valve. 

1.4.4 Piping. 

1.4.5 Fill valve. 

1.4.6 Gas generator valve. 

1.5 Fuel leak - Corrosive fluid into closed cargo bay. 


1.5.1 Tank. 

1.5.2 Rocket engine start valve. 

1.5.3 Vent valve. 

1.5.4 Piping 

1.5.5 Fill valve 

1.5.6 Gas generator valve. 

1.6 Inadvertent start. 


1.6.1 Signal. 

1.6.2 Gap generator valve opens. 

1.7 Inadvertent Agena separation from EOJ. 

1.7.1 One attachment point separated. 

1.7.2 Two attachment points separated. 

1.7.3 All attachment points sepsrated. 
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Table A-4. Agena/Orbiter Hazards (Continued) 

1.8 Inadvertent satellite separation from Agena. 

1.8.1 Agena structure failure. 

1.8.2 Signal sent in error. 

2. During shuttle boost to higher orbit. 

2.1 thru 2.6 same as 1.1 thru 1.8. 

2.9 Support structure failure. 

-Transition piece failure between Agena circular ring and EOS 
hard points. 

3. In the higher orbit. 

3.1 thru 3.8 same as 1.1 thru 1.8. 

4. While being prepared for deployment. 

4.1 thru 4.8 same as 1.1 thru 1.8. 

5. During deployment and release. 

5.1 Deployment 

5.1.1 thru 5.1.3 same as 1.1 thru 1.3. 

5.1.4 thru 5.1.6 same as 1.6 thru 1.8. 

5.1.7 same as 2.9. 

5.2 Release 

5.2.1 thru 5.2.3 same as 1.1 thru 1.3 

5.2.4 same as 1.6. 

5.2.5 same as 1.8. 

5.2.6 Gas jet thruster failed "on 1 ' - pitch jet //2 or 5. 

5.2.7 Directed helium leak sufficient to over-power the gas jets. 

5. 2.7.1 Tank. 

5. 2. 7. 2 Helium start valve. 

5. 2. 7. 3 Helium fill valve. 

5.2.8 Directed nitrogen leak sufficient to overpower the gas jets. 

5. 2.8.1 Tank. 

5. 2. 8. 2 N 2 start valve. 

5. 2. 8. 3 N 2 fill valve. 
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Table A-4. Agena/Orblter Hazards (Continued) 

5.2.9 Directed oxidizer leak sufficient to over-power the gas jets. 

5. 2. 9.1 thru 5. 2. 9. 6 same as 1.4.1 thru 1.4.6. 

5.2.10 Directed fuel leak sufficient to over-power the gas jets. 

5.2.10.1 thru 5.2.10.6 same as 1.5.1 thru 1.5.6. 

5.2.11 Mo separation. 

5.2.11.1 All separation points successful except 1. 

5.2.11.2 Mo separation points successful. 

5.2.12 Failure of critical functions. 

5.2.12.1 Electrical power. 

5.2.12.2 Gas jets. 

5.2.12.3 Stabilization control. 

6. During retrieval. - No applicable. 

7. During parking orbit until de-orblt.- Not applicable. 

8. During and following an aborted shuttle mission at any of the above 
stages. 

8.1 Abort not related to payload. 

8.1.1 Agena and satellite too heavy for EOS return ( reentry, 
or landing. 

8.2 Abort because of hazard or failure In payload. 

8.2.1 Damage to Agena or EOS preventing deployment and release. 

8. 2. 1.1 thru 8. 2. 1.8 same as 1.1 thru 1.8. 
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Table A-5, Centaur /Orb iter Hazards 


1. Transport in the shuttle bay while in parking orbit. 

1.1 Helium tank or line explosion. 

1.2 Hydrogen peroxide tank or line explosion. 

1.3 Premature pyrotechnic initiation. 

1.3*1 Centaur Insulation panels shaped charges. 

1.3.2 Command destruct shaped charge. 

1.3.3 Centaur attachments to EOS and payload, if required. 

1.3. 3.1 Centaur/EOS adapter. 

1.3. 3. 2 Centaur /payload separation. 

1.4 Oxidizer leak - Excessive fluid into partially closed cargo bay. 


- internal and external. 


1.4.1 Tank. 

1.4.2 Oxidizer inlet shutoff valve 

1.4.3 Fill and drain valve. 

1.4.4 Boost pump - external. 

1.4.5 Piping - many fittings. 

1.4.6 Vent valve. 


1.5 Fuel leak - excessive fluid into partially closed cargo bay. 

1.5.1 Tank. 

1.5.2 Fuel inlet shutoff valve - external. 

1.5.3 Fill and drain valve. 

1.5.4 Boost pump - external. 

1.5.5 Piping - many fittings. 

1.5.6 Vent valve. 


1.6 Inadvertent start. 

1.6.1 Without ignition. 

1.6. 1.1 Excessive fluid into partially closed cargo bay. 

1.6. 1.2 Explosive atmosphere around electrical disconnects. 

1.6.2 With ignition. 

1.6. 1.1 Combustion gases into partially closed cargo bay. 

1.6. 2. 2 Combustion gas Impingement on critical EOS components. 

1.6.3 H 2 0 2 initiation only. 

1.6. 3.1 H„ boost pump. 

1.6. 3. 2 0 2 boost pump. 

1.7 Inadvertent activation of RCS thruster(s). 

-Any thruster or combination of thrusters. 

1.7.1 Release of hot gas into partially closed cargo bay. 

1.7.2 Impingement of hot gas on cargo bay wall. 


A-15 






Space Division 

North American Rockwell 


Table A-5. Centaur /Orbiter Hazards (Continued) 


1.8 H 2 O 2 leak - catalytic decomposition of H 2 O 2 liquid or vapor on 
incompatible materials,; e.g., 

1.8.1 RCS thruster valves (14). 

1.8.2 Tank. 

1.8.3 Piping. 

1.9 Inadvertent Centaur separation from EOS. 

1.9.1 Activation of any one of three attachment points. 

1.10 Inadvertent satellite separation from Centaur. 

1.10.1 Signal sent in error. 

1.11 Imbalance of pressure in main propellant tanks - potential 
rupture of conmon bulkhead and mixing of propellants into 
an explosive combination. 

1.12 Overboard line separation - configuration for minimum EOS 
impact is ground tanked. 

1.12.1 Hydrogen vent lines (2). 

1.12.2 Hydrogen fill and drain line. 

1.13.3 Oxygen fill and drain line. 

1.12.4 Oxygen vent line. 

1.13 Helium regulator for oxidizer tank pressurization failed open. 

1.14 Helium regulator for fuel tank pressurization failed open. 

2. During shuttle boost into higher orbit. 

2.1 thru 2.14 same as 1.1 thru 1.14. 

2.2 Structural failure of any one of three attachment points. 

3. In the higher orbit. 

3.1 thru 3.14 same as 1.1 thru 1.14. 

4. While being prepared for deployment. 

4.1 thru 4.14 same as 1.1 thru 1.14 

5. During deployment and release. 

5.1 Deployment 

5.1.1 thru 5.1.3 same as 1.1 thru 1.3 

5.1.4 same as 1.6.2. 

5.1.5 thru 5.1.7 same as 1.9 thru 1.11. 
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Table A-5. Centaur/Orblter Hazards (Continued) 

5.1.8 and 5.1.9 same as 1.13 and 1.14. 

5.1.10 Structural failure of Centaur /EOS attachment points. 

5.1.11 Inability to separate overboard lines and electrical 
connectors between Centaur and EOS. 

5.2 Release. 

5.2.1 thru 5.2.3 same as 1.1 thru 1.3 

5.2.4 same as 1.6.2. 

5.2.5 same as 1.11. 

5.2.6 and 5.2.7 same as 1.13 and 1.14. 

5.2.8 Gas jet thrusters staited "on". 

5. 2. 8.1 Either pitch jet. 

5. 2. 8. 2 Any one 53// thruster. 

5.2.9 Directed helium leak sufficient to overpower the gas jetts. 

5. 2. 9.1 Tank(s). 

5. 2. 9. 2 Fill valve. 

5. 2.9. 3 Start valve (s). 

5. 2. 9. 4 Regulator (s) . 

5.2.10 Directed oxygen leak sufficient to overpower thrfe gas jets. 

5.2.10.1 thru 5.2.10.6 same as 1.4.1 thru 1.4.6. 

5.2.11 Directed fuel leak sufficient to overpower three gas jets. 

5.2.11.1 thru 5.2.11.6 same as 1.5.1 thru 1.5.6. 

5.2.12 No separation. 

5.2.13 Failure of critical function. 

5.2.13.1 Electrical power. 

5.2.13.2 Gas jets. 

5.2.13.3 Stabilization control. 

6. During retrieval 

6.1 Rendezvous and docking - active rendezvous by EOS and special 
docking adapter, since Centaur RCS is insufficient to provide 
translation in all axes. 

6.1.1 Inability to depressurize main tanks. 

6.1.2 and 6.1.3 same as 1.1 and 1.2 

6.1.4 H 2 0 2 leak sufficient to exhaust the supply. 

6. 1.4.1 thru 6.1.4. 3 same as 1.8.1 thru 1.8.3. 
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Table A-5 . Centaur/Orbiter Hazards (Continued) 

6.1.5 sama as 1.11. 

6.1.6 and 6.1.7 same as 1.13 and 1.14. 

6.1.8 same as 5.2.13. 

6.2 Retrieval into the cargo bay. 

6.2.1 Failure to relieve helium pressure and exhaust H 2 O 2 . 

6.2.2 same as 2.2 

6.2.3 Inability of the cargo bay doors to close due to inter- 
ference with overboard connection. 

7. During parking orbit until de-orbit - no credible hasards. 


Table A-6, Trans tage/Orblter Hazards 


1. Transport in the shuttle bay while in parking orbit. 

1.1 Helium tank or line explosion. 

1.2 Nitrogen tank or line explosion. 

1.3 Oxidizer leak - corrosive fluid into partially closed cargo bay. 

1.3.1 Tank. 

1.3.2 Bipropellant valve (2). 

1.3.3 Piping. 

1.4 Fuel leak - corrosive fluid into partlllay closed cargo bay. 

1.4.1 Tank 

1.4.2 Bipropellant valve (2). 

1.4.3 Piping. 

1.5 Inadvertent start - hot gas impingement on critical shuttle 
components . 

1.5.1 Either or both bipropellant valves opening. 

1.5.2 Inadvertent signal to fuel control solenoid. 

1.6 Inadvertent separation of Transtage from EOS, 

1.7 Inadvertent separation of payload from Transtage. 

2. During shuttle boost to higher orbit* 

2.1 thru 2.7 same as 1.1 thru 1.7. 

2.8 Support structure failure - transition piece between Trans t age 
and EOS support. 
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Table A-6. Transtage/Orbiter Hazards (Continued) 


3. In the higher orbit. 

3.1 thru 3.7 same as 1.1 thru 1.7. 

A. While being prepared for deployment. 

A.l thru 3.7 same as 1.1 thru 1.7. 

5. During deployment and release. 

5.1 Deployment 

5.1.1 and 5.1.2 same as 1.1 and 1.2. 

5.1.3 thru 5.1.5 same as 1.5 thru 1.7. 

5.1.6 same as 2.8. 

5.2 Release 

5.2.1 and 5.2.2 same as 1.1 and 1.2 

5.2.3 same as 1.5. 

5. 2. A Directed helium leak sufficient to overpower the 
RCS jets. 

5 . 2 . A . 1 Tank . 

5. 2. A. 2 Piping. 

5.2.5 Directed nitrogen leak sufficient to overpower the 
RCS jets. 

5. 2. 5.1 Tank. 

5. 2.5.2 Piping. 

5.2.6 Directed oxidizer leak sufficient to overpower the RCS 
jets. 

5. 2.6.1 thru 5. 2. 6. 3 same as 1.3.1 thru 1.3.3. 

5.2.7 Directed fuel leak sufficient to overpower the RCS jets. 

5. 2. 7.1 thru 5.2. 7. 3 same as l.A.l thru l.A.3. 

5.2.8 Failure of critical functions. 

5. 2.9.1 Electrical power. 

5. 2. 9. 2 RCS engines - explosion or valve started closed. 

5. 2. 9. 3 Stabilization control. 

6. During retrieval - not applicable 

7. During parking orbit, until de-orbit - not applicable. 
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Table A-6. Tran stage/Orb iter Hazards (Continued) 


During and following an aborted shuttle mission at any of the 
above stages. 

8.1 Abort not related to Transtage or payload. 

8.1.1 Transtage and payload too heavy for EOS return, 
reentry, or landing. 

8.2 Abort because of hazard of failure in Transtage or payload, 

8.2.1 thru 8.2.7 same as 1.1 thru 1.7. 


Table A-7. Burner 11/Orblter Hazards 


1. Transport in the shuttle bay while in parking orbit. 

1.1 Nitrogen tank or line explosion. 

1.2 H 2 O 2 tank or line explosion. 

1.3 Premature pyrotechnic initiation. 

1.3.1 Pyrogen igniter - ignites rocket engine. 

- Hot gas impingement on critical upper stage 

components. 

- Large volume of hot gas in partially closed 

cargo bay. 

1.3.2 Burner 11 attachment to payload. 

- Releases payload inside cargo bay. 

1.3.3 Destruct system, if required. 

1.4 H 0 2 leak - corrosive and heat generating liquid released into 

^ the cargo bay. 

1.4.1 Fill and drain port. 

1.4.2 Piping. 

1.4.3 Relief valve. 

1.4.4 Start valves (4). 

1.5 N 2 pressure regulator failure in the open position. 

-Overpressurize the downstream piping and H 2 0 2 tanks. 

Possible explosion. 

1.6 Inadvertent opening of any H 2 <> 2 start valve - release of hot 
steam Into cargo bay. 
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Table A-7 . Burner 11/Orbiter Hazards (Continued) 


1* 7 Inadvertent separation of Burner 11 from upper stage vehicle* 

2. During shuttle boost into higher orbit. 

2.1 thru 2.7 same as 1.1 thru 1.7. 

2.8 Burner 11 structural failure and separation from payload 
or upper stage. 

3. In the higher orbit. 

3.1 thru 3.7 same as 1.1 thru 1.7. 

4. While being prepared for deployment. 

4.1 thru 4.7 same as 1.1 thru 1.7. 


5. During deployment and release. 


5.1 Deployment 


5.1.1 thru 

5.1.4 same 

5.1.5 same 

5.1.6 same 


5.1*3 same 
as 1.5. 
as 1.7. 
as 2.8. 


as 1.1 


thru 1.3 


5.2 Release 


5.2.1 thru 5.2.3 same as 1.1 thru 1.3. 

5.2.4 thru 5.2.6 same as 1.5 thru 1.7. 

5.2.7 Inadvertent opening of gas jet start valve. 

5. 2. 7.1 Either pitch jet. 

5. 2. 7. 2 Either yaw jet. 

5. 2. 7. 3 Any combination of two roll jets. 


5.2.8 Directed nitrogen leak sufficient to overpower the gas jets. 


5. 2. 8.1 Tanks (2). 

5. 2. 8. 2 High pressure fill port. 

5.2.8. 3 pressure regulator. 

5. 2. 8. 4 Regulated pressure fill and bleed port. 

5. 2. 8. 5 Gas jet start valves (6). 

5.2.9 No separation of Burner 11 upper stage assembly from 
deployment mechanism. 

5.2.10 Primary battery failure — loss of attitude control • 

5.2.10.1 Overpressure and expulsion of electrolyte. 

5.2.10.2 Internal short. 

5.2.10.3 Internal open. 


V 


A-21 . 


SD 72-SA-0094-2 




Space Division 
North American Rockwell 


Table A-7. Burner 11/Orblter Hazards (Continued) 

5.2.11 Primary electrical distribution harness failure - open 
or short. 

5.2.12 Gyro Inertial reference failure - loss of vheicle 
orientation control. 

5.2.13 Programmer failure - loss of control signals. 

5.2.14 Inverter failure. 

5.2.15 Flight control electronics failure. 

6 . During retrieval - not applicable. 

7. During parking orbit until de-orbit - not applicable.- 

8 . During and following an aborted shuttle mission at any of the above 
stages. 

8.1 Abort not related to Burner 11 or payload. 

8.1.1 Upper stage, Burner 11, and payload too heavy for EOS 
return, reentry, or landing. 

8.2 Abort because of hazard or failure in Burner 11 or payload. 

8.2.1 thru 8.2.7 same as 1.1 thru 1.7. 


Table A- 8 . Apollo Service Module/Orbiter Hazards 


1. Transport in the shuttle bay while in parking orbit. 

1.1 Helium tank ( 6 ) or line explosion. 

1.2 Oxygen tank (2) or line explosion. 

1.3 Hydrogen tank or line explosion. 

1.4 Premature pyrotechnic initiation. 

1.4.1 Antenna deployment. 

1.4.2 SM separation from shuttle attac!aent points. 

1.4.3 Payload separation from SM. 

1.5 N 2 O 4 leak - corrosive fluid into partially closed cargo bay. 

1.5.1 Tank. 

1.5.2 Piping. 

1.5.3 Flexible lines. 
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1.6 A-50 leak - corrosive and heat generating fluid Into partially 
closed cargo bay. 

1.6.1 Tank. 

1.6.2 Piping. 

1.6.3 Flexible lines. 


1.7 Inadvertent start - signal. 

1.8 Water /glycol leak. 

1.8.1 Piping 

1.8.2 Radiators. 

1.9 Monomethyl hydrazine leak - corrosive fluid. 

1.9.1 Tanks (8). 

1.9.2 Piping. 

2. During shuttle boost to higher orbit. 

2.1 thru 2.8 same as 1.1 thru 1.6* 

? 9 Structural failure of connection between SM & EOS. 

3. In the higher orbit. 

3.1 thru 3.9 same as 1.1 thru 1.9. 

4. While being prepared for deployment. 

4.1 thru 4.9 same as 1.1 thru 1.9. 

4.10 Fuel cell explosion. 

5. During deployment and release. 

5.1 Deployment. 

5.1.1 thru 5.1.4 same as 1.1 thru 1.4. 

5.1.5 same as 1.7. 

5.1.6 same as 2.9. 

5.1.7 same as 4.10. 

5.2 Release 

5.2.1 thru 5.2.4 same as 1.1 thru 1.4. 

5.2.5 same as 1.7. 

5.2.6 RCS engine explosion. 
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Table A-8. Apollo Service Module/Orbiter Hazards (Continued) 


5 . 2.7 Directed helium leak s rficient to overpower the RCS 
engines - tank. 

5.2.8 Directed oxygen leak - tank. 

5.2.9 Directed hydrogen leak - tank. 

5.2.10 Directed ^0^ leak - tank. 

5.2.11 Directed A- 50 leak - tank. 

5.2.12 Directed MMH leak - tank. 

5.2.13 No separation. 

5.2.14 Fialure of critical functions. 

5.2.14.1 Electrical power. 

5.2.14.2 Sequential events control. 

5.2.14.3 Pyrotechnics. 

5.2.14.4 Guidance and control. 

5.2.14.5 Reaction control. 

5.2.14.6 Structure. 

6. During retrieval - not applicable. 

7. During parking orbit until de-orbit - not applicable. 

8. During and following an aborted shuttle mission at any of the 
above stages. 

8.1 Abort not related to payload - SM and payload too heavy for 
LOS return, reentry, or landing. 

8.2 Abort because of hazard or failure in payload - damage to 
SM preventing deployment and release. 

8.2.1 thru 8.2.9 same as 1.1 thru 1.9. 
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Potential causes for the various emergencies have been identified, 

and are as follows: 

A. Potential Causes of Fire in or Near Cargo bay 

1. Leakage of flammable fluids, or fluids which present a fire hazard, 
into a habitable volume. 

2. Leakage or venting of flammable fluid near RCS exhaust plume. 

3. Leakage or venting of monopropellants which impinge on catalyst 
source. 

4. Simultaneous leakage or venting of mutually reactive fluids. 

5. Simultaneous venting of fluids which are mixed, after venting, 
near RCS exhaust plume. 

6. Accidental or inadvertent firing of payload RCS engines. 

B. Potential Causes of Explosion in or Near Cargo Bay 

1. Rupture of pressure vessel or explosive fluid container or lines. 

2. Leakage of explosive fluids or fluids which create an explosion 
hazard with subsequent ignition into the shuttle cargo bay. 

3. Venting of explosive fluid(s) near RCS exhaust plume. 

4. Leakage or venting of monopropellants which impinge on a 
catalyst source. 

5. Simultaneous leakage or venting of mutually reactive fluids. 

6. Simultaneous venting of fluids which are mixed, after venting, 
near an RCS exhaust plume. 

7. Accidental or inadvertent firing of payload RCS engines, main 
propulsion engines, and pyrotechnic or other explosive devices. 

C. Potential Causes of Exposure of Orbiter Personnel to Toxic Environment 

1. Release of a toxic payload fluid into a pressurized volume of the 
payload, the environment of which is serviced by the orbiter or 
interfaces with the orbiter environmental control and life support 
system. 

2. Contamination of a pressurized payload environment which inter- 
faces with the orbiter environment control and life support system 
at some point in the mission after removal from the orbiter cargo 
bay, such as during deployment and checkout operations. 
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D. Potential Causes of Corrosive Environment to Orbiter Equipment 

1. Leakage of corrosive fluid container or plumbing. 

2. Venting of corrosvie fluids which contact vehicle structure or 
external subsystem components. 

3. Rupture of corrosive fluid container or plumbing. 
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Flammable fluid hazards can be categorized into five areas: 

1. Those fluids which are flammable in the presence of oxygen at 
specific temperatures and pressures. 

2. Those fluids which can act as oxidizing agents and increase the 
fire hazard by decreasing the ignition temperature, and therefore 
increase the potential sources of ignition. 

3. Those fluids such as monopropellants, which do not require the 
presence of oxygen to bum, but decompose violently in contact 
with a solid catalyst under specific conditions of temperature 
and pressure. 

4. Mutually reactive fluids, such as hypergolic bi -propellants , 
which do not require the presence of oxygen or an ignition source 
to chemically react and produce high temperatures. 

5. Mutually reactive fluids, such as non-hypergolic bi -propellants, 
which require an ignition source to chemically react and produce 
high temperatures. 

A. 5 FLUID HAZARDS 

The hazards for each fluid identified in Section 2.2.6, Table 2-4 of the 
main text of this volume, are classified into toxic, flammable, corrosive, and 
explosive. Theae characteristics were extrapolated primarily from the third 
edition of "Dangerous Properties of Industrial Materials" by N. Irving Sax, 
1968, Reinhold Book Corporation. 

Toxicity is the ability of a chemical to produce injury once it reaches a 
susceptible site in or near the body. Classes of toxic substances of concern 
are fumes , mists , vapors , gases , and cryogens . All cryogens are toxic in that 
severe frostbite "burns" and tissue damage can result from contact with the 
skin. Toxic fluids were classified into those substances which (1) act as a 
simple asphyxiant, that is, the gas replaces oxygen until a toxic level due to 
insufficient oxygen is reached, (2) are toxic at temperatures which are below 
that required for decomposition, and (3) are toxic before decomposition, but 
which become extremely toxic when heated to decomposition. The table does not 
distinguish between the levels of toxicity such as slight > moderate, or severe, 
nor does it define the effects in terms of acute (short duration, seconds, 
minutes, hours), chronic (long duration - days, months, years), or exposure 
media (inhalation, absorption, through skin, intestinal canal, etc.). 
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Fluids which could be expected to create a corrosive environment for 
common spacecraft materials are indicated for their potential corrosive 
effect in an earth environmeit. Of the oxidizers, oxygen (0^) could be 
expected to require a relatively long time to produce corrosive damage. 
Nitrogen oxide (NO) emits corrosive fumes when exposed to water or steam. 
Nitrogen tetroxide (N 2 O 4 ) , which is used on the Agena, Transtage, Apollo 
Service Module and has potential use on future automated payloads, is 
extremely corrosive and could be expected to be capable of producing 
structural or equipment damage within seconds after contact. Hydrogen 
peroxide is highly ccr 3 sive in concentrations greater than approximately 
40%. Hydrazine (N 2 H 4 ) and members of the hydrazine family indicated on the 
table, A-50 (50% UDMH ♦ 50% hydrazine), and monomethyl hydrazine are corro- 
sive. Hydrazine fuel* containing hydrazine nitrate and hydrazine diperchlor- 
ate act as acids in hydrazine solutions, and are responsible for higher 
corrosion rates. Corrosion and toxicity ratings for hydrazine propellants 
are listed in Table A-9, as obtained from Report SP06R70-F, Space Station 
Study of Re-Supply/Repair of Monopropellant Subsystems, Final Report, 

February 1971, prepared by Hamilton Standard for NASA MSFC. 


Table A-9. Corrosion and Toxicity Characteristics of Hydrazine Blends 


MONOPROPELLANT 

CORROSIVE 

TOXICITY 

(1) Hydrazine 

M 

M 

(2) Monomethyl Hydrazine (MMH) 

L-M 

M 

(3) Unsymmetrical Dimethyl Hydrazine (UDMH) 

L 

L-M 

(4) Aerozine -50 (UDMH + N 2 H 4 ) 

L-M 

M 

(5) MHF-3 (MMH + N 2 H 4 ) 

L-M 

M 

(6) X-Mix (MMH + N 2 H 4 + H 2 0) 

L-M 

M 

(7) BA10-14 (M4H + N 2 H 4 + H 2 0) 

M-H 

M 

( 8 ) Q-Mix (MMH + N 2 H 4 + H 2 O + HN) 

M-H 

M 

(9) MHF-5 (MMH + N 2 H 4 + HN) 

M 

M 

(10) Hydrazine - Hydrazine Nitrate - Water 

H 

M 

(11) Hydrazine - Hydrazine Diperchlorate - 
Water 

H 

M 

(12) Hydrazine - Hydrazine Azide - Water 

M 

M 

(13) Hydrazine - Methoxhaiuine Nitrate 

H = High 
M = Moderate 
L = Low 

M-H 

M 
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Explosive fluid hazards can be categorized into three areas: 

(1) Those fluids which are explosive in the presence of oxygen at 
specific temperatures and pressures. 

(2) Those fluids which can act as oxidizing agents and increase the 
explosion hazard by decreasing the ignition temperature and there- 
fore increase the potential sources of ignition while at the same 
time increase detom tion rates. 

(3) Those fluids which are hazardous because when heated, shocked, or 
contaminated, the concentrated material can explode or start fires. 

It is significant to note that hydrogen peroxide falls into category 
(3) above. 


5 



A. 6 PROPERTIES OF PRIMARY PAYLOAD FLUIDS 

Common properties of primary fluids to be carried as orbiter payloads 
in significant quantities are tabulated in metric units (Table A-9)! 
and engineering units (Table A-10) . The references under flashpoint 
temperatures refer to standard equipment utilized in industry to determine 
the lowest temperature at which a liquid will give off enough vapor, or 
near its surface, such that in an intimate mixture of air and a spark of 
flame, it ignites. LEL refers to Lower Explosive Limit. 


A. 7 COMPRESSED GAS TNT EQUIVALENT 


The TNT equivalency of compressed gas is shown in Figure A-9. 

The equivalency is shown for gas expansion to one atmosphere pressure 
and to space vacuum. The figure is based on the gas behaving like a 
perfect gas over the range of pressures and temperatures involved. It 
is also assumed that the gas expands adiabatically (no heat transfer) and 
isentropically (maximum energy release). The results should be very good 
for the one atmosphere case, but some errors can be expected at the highest 
pressure shown for this case, and for the full range for the vacuum case, 
because of liquefaction and solidification of the gas at the extremely low 
temperatures it expands to. 

The largest anticipated usage of compressed gas for shuttle payloads 
is expected to be associated with upper stage vehicles requiring propellant 
system pressurization gases, and with Space Station modules which require 
atmospheric pressurization and re-pressurization gases. The Centaur, for 
example, may require as an energy source in an emergency propellant dump 
system 5 helium pressure vessels at 2.1 x 107 N/m2 (3000 psi) , with each 
tank having an internal volume capacity of 0,168m3 (6 ft 3) . The TNT equiva- 
lent per tank is 2.73 kg (6 lb). 


The Apollo Service Module contains two lm (40 inch) diameter helium 
tanks capable of storing 0.54n>3 (19.4 ft$) of gas each at 2.75 x 10 7 N/m2 

4000 psi. Each tank has the equivalent of approximately 12.4 kg (27.2 lb) 

TNT if loaded to capacity. 
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Table A-9. Properties of Primary Payload Fluids 


Metric Units 


pi IHD 

pmoi'lkty 

lie 

It 2 (para) 

"2 

°2 

IJUMH 

"2°4 

Mil 


"2*4 

Critical Temper at ure *C 
Critical Pressure n/m2 

-261.0 

2 . 2 »xlOS 

-240 

1.30*106 

-147 

3.40*10$ 

•118.4 

5.09x106 

250 

5.42x10* 

158.2 

1.013x10? 

312 

8.24x10* 

457 

2 . 151x107 

380 

1.47x107 

Boiling Point *C 

Frees lng Point *C 

•261,9 

•272 

-2S3 

-259 

-195.5 

-215 

•183.0 

-218.3 

63 

-57.2 

21.15 

- 12.2 

•7.5 

-52.5 

150.2 

0.43 

113.5 

1.5 

Heat of Fusion * 

Heat of Vaporisation * 

6 ~" 

14.0 

108 

6.09 

47.6 

3.30 

50.9 

40.1 

139.4 

32.3 to 37.2 

93.4 

54.1 

210 

74.1 

94.5 

334 

Auto Ignition T *C 

NA 

579 

NA 

... 

250 

... 

194 

... 

270 

Flammability Range 
in Air 

NA 

3.2 to 60 

g/«J at 

20 *C 

NA 

... 

2 (LEI) to 
90% by V 
at amb.T 

... 

2.5(LEL) 
to 98% at 
1 atmos. 

... 

4.7(LEL)to 
100% by V 
at 100 % 

Flash Point, Open 
C*> c 

NA 

... 

NA 

... 

-15 

... 

17.2 

... 

52.0 

Flash Point, Closad 

c*> *c 

NA 


NA 

... 

1.1 


21.1 

... 

37.8 

Vtpor Pnuun N/M J 
'« *C 

— - 

1.31x10* 
at -258 

1 .38x10$ 
at -193.3 

2,55x10$ 
at -133 

2.07x103 
at -17.8 

3.31x10* 
| at 1.1 

2.14x10$ 

at 4.4 

2.07x102 
tt 20 

4.83x102 

at 4.4 


... 

1 . 0 U 10 S 
st -253 

3.58x10$ 
at -183.3 

1.15x10* 
tt - 1 S 1 

6.90x10$ 
at 4.4 

1 . 01 x 10 $ 
at 21.1 

6.9x10$ 
at 26.7 

6 . 89x10? 
at 40 

2.14x10$ 
at 26.7 

... 

1 .63x10$ 
at -2S1 

7.79x10$ 

-173.3 

3.39x106 
at -129 

2.14x104 
at 26.7 

2 . 66 x 10 $ 
at 43.3 

2.14x10* 

at 48.9 

2.28x10$ 
at 60 

7.17x10$ 

at 48.9 

... 

8.?7xl0$ 
at -243 

1.48x10* 
at -163.3 

4.24X10* 
at -123 

5.10x10* 

at 48.9 

5. 27x10$ 
at 65.6 

5.45x10* 
at 71.1 

6.41x10$ 
at 80 

2 . 0 x 10 * 
4t 71.1 

... 

1 . 12 x 10 * 
tt .241 

... 

... 

... 

... 

... 

... 

... 


* Calories per g: 


| 


1 

i 

? 

* 

I 

i 

i 

t 

r 

i 

* 

F 

1 


t 

£ 

f 

f 

4 

f 

i 

p 

i» 

s 


v 

t 


I 
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Table A-16. 


Properties of Primary Payload Fluids 


Engineering Units 


FLUID 

PROPERTY — 

He 

H 2 (pera) 

*2 

°2 

UDMH 

* 2 ®. 

NMH 

*202 90% 

N 2 H 4 

Critical Temperature *F 

-450.3 

-400 

-232.5 

-181.1 

482 

316.8 

593.6 

855 

716 

Critical Pressure psia 

33.2 

188 

493 

737 

786 

1460.0 

1104 

5130 

2135 

Boiling Point *F 

-452 

-423 

-320 

-29^ 

146 

70.1 

1 I 0 .S 

302.4 

236.3 

Fronting Point *0 

•457.8 

-435 

-346 

-361 

-71 

11.8 

-62.5 

31.2 

35 

Heat of Fusion btd/lb 

... 

25. 2 

10.962 

$.94 

72.18 

58.14 to 
66.96 

97.38 

1U.II 

170.1 

Heat of Vaporisation 
btu/ib 

10.8 

194.4 

85.68 

91.62 

250.92 

168.12 

378 

... 

601.2 

Auto Ignition T *F 

NA 

1075 

NA 

... 

412 

... 

382 

... 

S18 

Flammability Range 

NA 

4 to 75% 

NA 



2 (LEI) to 

... 

2.5 (LBL) 

... 

4 . 7(L8L) 

in Air 


by Vol. 



90% by 


to 98% by 


to 100 % 



et 68 *F 



Vol. at 


Vol. in 1 


•t 2 it*r 






mabient 


atmos. 



Flash Point, Open *0 

Cup 

NA 

— 

NA 

— 

S 

... 

65 

— 

125,6 

Flash Point, Closed *F 
Cup 

NA 

... 

NA 

... 

34 

... 

70 

... 

100 

Vapor Pressure pels 


1.9 at 

20 at 

37 at 

0.3 at 

4.8 at 

0.51 at 

0.03 at 

0.07 at 

et *F 


-433 

-316 

-280 

0 

30 

40 

68*0 

40 



14.7 at 

52 at 

167 at 

1.0 at 

14.6 at 

1.0 at 

0.10 at 

0.31 at 



-423 

-298 

-240 

40 

70 

•0 

104*0 

00 



23.7 at 

113 at 

402 at 

3.1 at 

38.6 at 

3.1 et 

0 .SS tt 

1.04 at 



-420 

-280 

-200 

•0 

110 

120 

I04»P 

20 



120 at 

214 at 

•IS at 

1.4 at 

01.0 at 

7.0 at 

ft.93 at 

2.0 at 



-405 

-262 

•100 

120 

ISO 

1*0 

.Vo 

100 



1*2 at 1 
•402 1 




| 
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The maximum TNT equivalent of the Modular Space Station pressure 
vessels is expected to be approximately 5 kg (11 lb), based on 0.84m 
(33 inch) diameter, 0.28m3 (10 ft3) , 2,1 x 10? N/m2 (3000 psi) tanks. 

A 141 m3 (5000 ft 3) payload module, such as a space station module, 
pressurized at 1 atmosphere, possesses a TNT equivalent of 10.3 kg (22.5 lb) 
while the TNT equivalent for the same volume is reduced to approximately 
1.64 kg (3.6 lb) at 13,800 N/m2 (2 psi). 

The above maximum TNT equivalents are expected to represent reasonable 
upper bounds for orbit^r pressure vessel payloads. 

A. 8 CRYOGENIC FLUID TNT EQUIVALENT 

In order to d&cermine the TNT equivalent of cryogenic fluids, an 
analysis was made of how cryogenic fluids behave when they expand into a 
low or zero pressure environment. 

Cryogenic fluids are generally stored as a liquid in a sub -critical 
state, where a liquid and gas phase can exist together in equilibrium, or 
in a supercritical state, in which the fluid exists in a single uniform 
phase, with no sharp distinction between gas and liquid. The supercritical 
phase is generally characterized by much larger storage pressures. 

The analysis indicates that if the fluid pressure is suddenly reduced, 
e.g. as a result of fluid leakage or tank rupture, the fluid expands and 
cools, going into a two-phase gas-and-liquid state. If this mixture is 
confined, as in a cargo bay, so that the gas and liquid can interract and 
remain in equilibrium, the expansion proceeds until the temperature drops 
to and below the triple point (where gas, liquid and solid can co-exist 
in equilibrium). Below the triple point, the liquid (moat probably in a 
mist), condenses into the solid form, and if the expansion continues, more 
and more of the remaining gas is converted into solid. The expansion stops 
when the liquid/gas or solid/gas mixture fully occupies the containing vessel. 

The energy that is released by the expansion and cooling of the fluid 
is used in accelerating the fluid, both the gas, and the liquid or solid. It 
is this energy that is available to damage structure and equipment it 
impinges on, and can be equated to the TNT equivalent. In the limit, when 
the fluid expands to space, it theoretically can reach absolute zero temper- 
atures and nressure. In this condition it is all in a solid state. This 
condition also corresponds to maximum energy release. 

The freezing time for oxygen, nitrogen, and hydrogen when the fluid 
liquid drop is exposed to a vacuurt near its boiling point is shown in 
Figure A-1D, as a function of drop diameter. The curves were developed 
from a linear extrapolation of theoretical data developed in "Freezing of 
Liquids on Sudden Exposure to Vacuum" by John B. Gayle, Carl T. Egger, and 
James W. Bransiord, Journal of Spacecraft and Rockets, Vol 1, No. 3, May/ 

June 1964. 

The freezing times for even large drops of 0.1 m (4 ins) diameter range 
from 0.025 seconds for hydrogen to 0.3 seconds for oxygen. In the event of 
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a cryogenic tank rupture, therefore, these times are sufficiently rapid 
for the energy released during freezing of the fluid to be available to 
contribute to the TNT equivalent of the cryogenic fluid. 

The TNT equivalent of hydrogen (parahydrogen) as it expands from typical 
subcritical conditions to vacuum is shown in Figure A-ll, as being typical 
of cryogenic fluids. This is plotted against the temperature of the fluid. 

The initial conditions on the right all represent different combinations of 
temperature and pressure, with the fluid fully saturated -- i.e., 100% gas 
for the two top curves, and 100% liquid for the two bottom curves. The four 
curves are characterized by the entropy, which is assumed to remain constant 
during expansion. The variation of the corresponding "quality,” or proportion 
of gas, during the expansion is shown for the four curves in Figure At-12. 

If the expansion starts or terminates at pressures and temperatures 
within the range shown in Figure Arl3, the TNT equivalent of the expansion 
is represented by the difference in ordinates for the two points. Since in 

practice, expansions of interest neither proceed to a vacuum, nor proceed 
isentropically, it is seen that the curves indicate the maximum potential 
TNT equivalent (remembering that entropy can only increase during a real 
process, not decrease). 

It is also of interest to note how non-linearly the pressure decreases 
with the temperature, as shown by the bottom scale of Figure A-ll. 

Typically, the TNT equivalent of cryogenics is relatively low. As a 
comparison. Table A-ll compares the TNT equivalent of hydrogen at typical 
subcritical cryogenic storage conditions as a liauid, with the same tempera- 
ture and pressure as a gas, and with typical high pressure storage conditions 
as a gas at room temperature. 

Table A-ll. TNT Equivalent of Hydrogen Stored at Typical Cryogenic 
and High Pressure Gas Conditions 


Pressure 

Atm. 

Temperature 
'K (°R) 

Phase 

TNT Equivalent 
kg/kg H 2 (lb/lbH 2 ) 

Expanding to 
1 Atm. 

Expanding to 
Vacuum 

6.8 

29 

( 52) 

Liquid 

0 .006 

0 .056 

6.8 

29 

( 52) 

Gas 

0 .031 

0.134 

20. A 

i 

294 

(530) 

Gas 

0.52 

0.75 


A. 9 BLAST OVERPRESSURE 

Face and side on overpressures resulting from an explosion are shown in 
Figure A-13 as a function of blast source TNT equivalent and distance from 
the source. 

The maximum allowable cargo bay pressure for a current NR orbiter design 
of 13,800 N/m2 (2 psi) is shown for reference together with the maximum allow 
able face-on overpressure, 20,700 N/m2 (3 psi), permissible for personnel 
exposure without additional protection. 
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The figure shows that considerable cargo bay damage could result from 
an uncontained explosion within the bay with less than 0.0045 kg (0.01 lb) 

TNT equivalent. For example, if a blast of this energy equivalent were 
detonated in the center of a 4.6m (15 ft) diameter x 18.3 m (60 ft) length 
cargo bay, the structure located at a distance of 2.3 m (7.5 ft) would be 
exposed to an overpressure in excess of 69,000 N/m 2 (10 p S i) » while the 
ends of the bay would be exposed to slightly greater than 6,900 N/m2 (1 psi) . 

A. 10 MAXIMUM TOLERABLE LEAK RATE INTO SHUTTLE CARGO BAY 

An investigation was made to determine the maximum allowable leak rate 
which can be tolerated into the shuttle cargo bay from a pressurized payload 
vessel. The shuttle cargo bay doors were assumed to be closed and the bay 
provided with vents to limit cargo bay differential pressures to less than 
13,800 N/m 2 (2 psi). A vent area to cargo bay volume ratio of approximately 
13.8 cm 2 / m3 (o. 06 in 2 /ft3) which has been previously used in NR shuttle vent- 
ing studies, was assumed to estimate the venting area for any known cargo 
bay volume. 

The maximum tolerable leak rate as a function of vent area, is shown 
in Figure A-14 and assumes a gas temperature of -205° C ( -328° F) 

(typical temperatures of gases that have leaked into the cargo bay) , a maxi- 
mum allowable cargo bay differential pressure of 13,800 N/m 2 (2 psi), and a 
discharge coefficient for the vent of 0.85. The leak rate is relatively 
insensitive to the gas temperature, varying inversely as the square root 
of the absolute temperature. 

It is seen that the maximum leak rate which can be tolerated is larger 
for gases of high molecular weight than gases of low molecular weight, and 
that leakage of hydrogen represents the worst case. 

Current NR orbiter designs use always-open cargo bay vents of approxi- 
mately 0.37m 2 (4 ft 2 ) area. The maximum tolerable steady state leakage 
rate into the cargo bay, with doors closed, is of the order of 2.5 kg/sec 
(5.5 lb/sec) for hydrogen and 20 kg/sec 45 lb/sec) for air, oxygen or nitro- 
gen. Larger leakage rates into the cargo bay can be tolerated for shorter 
durations, until the cargo bay pressure goes from vacuum to the tolerable 
limit. Such a large leakage rate for a prolonged period is approaching, in 
its damaging effects, an explosive rupture of a tank, rather than a leakage. 

It can be concluded that overpressurization of the orbiter cargo bay 
for normal cargo is not a major hazard. It must be considered, however, 
for payloads containing mostly propellants, such as upper stage vehicles or 
propellant logistics resupply. The hazard is then serious, however, only 
during the time the cargo bay doors remain closed. 

A. 11 TOXIC ENVIRONMENT IN THE ORBITER RESULTING FROM CONTAMINATED 
PRESSURIZED PAYLOAD 

The shuttle may be exposed to a toxic environment of a contaminated 
payload if the orbiter atmosphere, at some point in the mission, such as 
during orbital maneuvers, deployment, checkout servicing, or cargo handling, 
interfaces with the payload atmosphere. 
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Eight typical pressurized payload configurations which lead to a toxic 
orbiter environment are shown in Figure A-15. These are derived from 
combinations of manned payloads, unmanned payloads, payloads requiring 
shuttle environmental control, payloads including self-contained environ- 
mental control, and pressurized payloads not requiring environmental control. 
Payload configurations 1, 3 and 6 could present a toxicity hazard to the 
orbiter during normal operations, since they require a direct interface with 
the orbiter environment. The remaining configurations could present a 
toxicity hazard during a contingency situation in which it becomes desirable 
or necessary to perform an internal visual inspection of the payload. 

A. 12 TESTING POTENTIALLY TOXIC CARGO FOR TOXICITY 

Exposure of on-orbit personnel to a t xic environment could result 
upon opening of a modularized or equivalent cargo container, the atmosphere 
of which has been contaminated by breakage or leakage of internal vessels 
containing a toxic substance. The vessel breakage or leakage could have 
occurred during ground cargo transfer and handling operations, shuttle 
ascent to orbit, orbital and docking operations, and on-orbit cargo handling 
operations . 

Examples of toxic fluids which may be delivered to orbit to support 
experiment operations are carbon tetraflouride (CF 4 ) , carbon monoxide (CO) , 
mercury, formaldehyde, and nitrogen tetroxide (N 2 O 4 ) . Examples of other 
toxic substances are bio-organisns , and experiment sensors such as imaging 
tubes which can release poisonous gases if broken. 

Testing potentially toxic cargo for toxicity in an environmentally 
isolated test volume, such as an airlock, is one method which could be 
employed to control this hazard. Figure A-16 shows schematically a 
possible method for testing which is based on the following assumptions: 

1. Vessels containing toxic substances are contained within a 
larger pressurized container. 

2. Vessels containing toxic substances are subject to leakage or 
breakage. 

3. The container is designed to be compatible with the toxicity 
test; it is fitted with necessary valves, etc. 

4. Leakage from plumbing connections during the testing operation 
is possible, and thereby require an environmentally isolated 
test volume. 

As can be seen from the figure, the container can be vented to space 
if a toxic atmosphere is detected. 
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PRESSURIZED PAYLOAD ECLSS 
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Manned 

Unmanned 

By Orb iter 

By Payload 


uration 

Model 
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Payload 

Not Required 

1 

A 

X 


X 



2 

A 

X 



X 


3 

A 


X 

X 



4 

A 


X 


X 


S 

A 


X 



X 

6 

B 

X 


X 



7 

B 

X 



X 


8 

B 

* 

X 
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Figure A-15. Configurations Which Can Lead to Toxic Environment in Orblter 
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Figure A-16. Airlock for Testing Toxicity of Cargo 
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A. 13 MAXIMUM SAFE TANK CONTENTS 

Gaseous leakage from an upper stage vehicle tank into the orbiter cargo 
bay cannot be allowed to overpressurize the bay. The resulting damage to the 
Shuttle structure and cargo bay doors could, in extreme cases, cause loss of 
the entire vehicle, including the crew, during reentry. For less severe 
cases, the structure could bend or break, allowing hot atmospheric plasma to 
enter internal volumes containing critical components. 

Limiting the gaseous contents of_upper stage vehicle tanks to the value 
shown for a typical case in Figure A-W could prevent overpressure from the 
leakage or rupture of any one tank. Each independent tank would not provide 
enough gas to increase the cargo bay pressure above the design limit (13,800 
N/m^, 2 psi, in this case) even under the restriction of no venting. 

Immediate expansion of gas into the cargo bay is the worst case, since some 
upper stage vehicle tank leakage over time would also allow some cargo bay 
outflow. Immediate expansion also restricts the heat transfer, so the process 
can approach isentropic. The general relationship for isentropic state 
changes for a perfect gas is: 


P 2 V ‘ Pi V 


where p = gas pressure 
V = gas volume 

Subscript 1 denotes the initial pressure and volume of the gas 
in the tank, and subscript 2 the expanded values, i.e., the 
allowable pressure in the cargo bay, and the cargo bay volume 
(assuming it is all available for expansion). 

Figure A-17 shows the allowable relationship between task oressure and 
volume. This result taxes advantage of the decrease in gas temperature during 
expansion to allow high initial tank pressures in relatively small tank 
volumes. The final low temperature reduces the immediate specific volume, 
so that a larger weight of gas is acceptable to the Shuttle structural 
strength. It is therefore better, from the point of view of potential cargo 
bay overpressurization, to transport large quantities of gas in the orbiter 
cargo bay at high rather than low pressure (assuming the same storage tem- 
perature). For example, a typical Space Station module contains 156 m 3 

(5500 ft 3 ) of air at io5 N/m^ (14.7 psi). This point is on the unsafe 
side of the curve, i.e., a massive leak from the module could damage the 
orbiter cargo bay. If the same quantity of air is stored in a tank of 
1.56 m^ (55 ft 3 ) at a pressure of 10' N/m^ (1470 psi), and the module is 
now vented to space during launch and only pressurized after station assembly, 
a rupture of the tank, will not now overpressurize the cargo bay, as shown 
by the fact that this point now lies on the safe side of the curve. 

The final gas state after a leakage continues to change slowly due to 
heating from the cargo bay structure, but venting will compensate for the 
specific volume increase. The curve is conservative because no gas condensa- 
tion to solid was considered, i.e., sublimation pressures are extremely small. 
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Figure A-17. Safe Content of Gas Tanks 

A. 14 MAXIMUM SAFE TANK CONTENTS - LIQUID 

Safe liquid content of upper stage vehicle tanks is a function of the 
amount of gas generated when liquid leakage occurs. Storable propellants 
release a small amount of gas because of rapid solidification. The differ- 
ence between solidification temperature and normal operating temperature is 
small and the heat lost through evaporation is large, e.g., one pound of 
water at 21 # C (70°F) requires only 0.073 kg(0.16lb) of water evaporation to freeze. 
In contrast, cryogenic propellants vaporize a larger percentage of the 
liquid before the remainder is solid; e.g., at least 25% for hydrogen and 
53% for oxygen. Expansion to a higher pressure than vacuum may result in 
a decrease in the amount of gas generated, but at a higher temperature. 

Specific analysis is required for each combination of liquid and storage 
conditions to identify safe liquid tanks volumes. 

Some upper stage vehicle tanks may not be within the allowable contents 
to preclude overpressurization of the cargo bay in the event of leakage. 

Reduction of pressure and/or volume could be made for improved safety. 

Volume reduction to reduce the potential effects of a failure of any 
one tank could be accomplished by the use of multiple tanks or compartaenta- 
tion of the larger sizes. ’ Multiple tanks are more feasible for high pressure 
storage because of the increased efficiency of structural shape possible. 
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Compartmentation could be used for larger, low pressure volumes, where bulk- 
heads need not have excessive weight. In most cases, however, the tank 
configuration has already been determined by existing designs (e.g., Centaur, 
Agena, Apollo service module), or will be determined by other considerations. 

Pressure reduction is more flexible because variation with time is possible 
and in some cases desirable. Merely reducing the pressure by regulator set- 
ting is a step in the right direction for liquid propellants because it could 
result in safe tank contents, and it does reduce the driving force for 
leakage. Storage of the additional gas for operational pressurization imposes 
no weight penalty in the gas quantity and only a small weight increase in the 
high pressure gas tanks. 

Further improvement for low leakage can be achieved by cutting off the 
pressurization supply to the lower pressure tanks entirely prior to upper 
stage vehicle operation. Leakage will then decrease the internal pressure 
and temperature still further, with a direct decrease in leakage flow. Should 
only liquid be exposed to the leak source, all the liquid would normally be 
expelled. However, if only pressurizing gas were exposed to the leak source, 
much of the liquid in the tank would be solidified and would not be available 
for leakage until significant heat transfer had increased the vapor pressure. 

The time history of the leak would be much more gradual and would give the 
Shuttle vents the time to dissipate the early leakage. Therefore, the cargo 
bay pressure rise would be more gradual with a lower peak. 

A. 15 ORBITER CARGO BAY VENTS 

Venting of the orbiter cargo bay starts with the launch and re-entry 
transients. The atmospheric gas flow is out and in, respectively, and the 
practical solution is always-open vent holes. However, vent sizing for this 
condition does not consider the possibility of upper stage vehicle leakage 
at the same time. These holes must be small enough to prevent excessive 
ingestion of hot, atmospheric plasma; therefore, the individual and total 
hole area is limited. In addition, payload leak rates during on-orbit 
operations with the cargo bay doors closed could result in bay overpressure; 
e.g., leaks from large propellant tanks and large, pressurized modules which 
are more than one-half the cargo bay in volume. 

Increased venting capacity could be available through differential 
pressure activated relief valves. Single direction venting from inside the 
cargo bay, to space would be sufficient because the intent is to prevent 
orbiter disaster as a result of upper stage vehicle large leakage into the 
bay or generation of large quantities of gas in the bay through fire. 

Although large leakage and fire are unlikely, they are hazards whose effects 
involve grave consequences for orbiter crew and equipment. Tradeoff of 
risk with venting capacity should be made during detailed design of orbiter 
and payload. 

Completely open cargo bay doors essentially provide a space environment. 

The space exposed side of the orbiter payload has no confinement and could 
accept all leakage without overpressure; but the orbiter side could still be 
locally confined as a consequence of cargo bay wall proximity to the upper 
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stage vehicle. With reasonable precaution in installation design, the 
likelihood of cargo bay overpressure should be acceptably small. Open cargo 
bay doors to the maximum extent possible while in earth orbit resolves 
several particular hazards and is therefore recommended. 

The complete orbiter of shuttle cargo bay venting is shown in Figure 

A-18. 


Cargo 

Bay 

Pressure 



Figure A-18. Cargo Bay Venting Spectrum 


Any on-orbit operations that could prevent door closure following 
payload activities are hazardous to the orbiter. A current orbiter require- 
ment is closed cargo bay doors during reentry due to aerodynamic buffeting 
and heating. Payload activities in orbit generally require opening of the 
cargo bay doors to expose sensors to the space environment or to off-load 
free flying vehicles into space. Possible incorporation of environmental 
control cooling radiators on the door internal surfaces would also require 
door opening for on-orbit use. Sane upper stage vehicle installation con- 
figurations (e.g.. Centaur) have recommended vent, electrical, fitting and 
dumping connections through the door. Any one of these hard connections 
could interfere with the door closing by misalignment of either mating piece. 
Retrieved upper stage vehicle indexing within the orbiter would have to be 
very precise. Connections would be inaccessible to orbiter crew by IVA or 
EVA because of small clearances. Therefore, connections to the doors are 
not recommended because of added hazard and low flexibility. 
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An alternate location of interconnections between upper stage vehicles 
and the orbiter would be from the upper surfaces (those exposed to space 
when the door is open) of the upper stage vehicle to the cargo bay walls. 

This location would allow connection independent of either upper stage 
retrieval into the bay, or of the cargo bay door closing. In addition, 
the connections would be accessible to manned adjustment and repair before 
de-orbit. 

A. 16 ORBITER CREW CONTROL 

The prime safety requirement of the upper stage vehicle/orbiter combina- 
tion is return of the crew to earth. The only immediate means is the orbiter. 
Monitoring for performance abnormalities by the crew provides the information 
necessary upon which to base mission continuation or abort decisions. Com- 
puter control can provide some normal operating sequences, but the more 
complex normal and abort sequences may be performed by crew control more 
effectively. The crew can provide an interlock capability for hazardous 
operations without additional weight and with crew assurance. 

One of the most severe hazards from upper stage vehicles is overpressure 
of the tanks with subsequent explosion. Crew monitor of tank pressure is 
a back-up for the automatic measure, and crew control of vent and pressurizing 
valves is a back-up for automatic pressure level control; this may include 
separate sensors and readouts for the orbiter crew, over-ride opening and 
closing of the vent valves, and over-ride opening and closing of pressurizing 
gas supply valves. Where inadvertent initiation of upper stage vehicle 
processes could present a hazard to the orbiter, a separate cut-off should 
be available to the orbiter crew; e.g., electricity to the upper stage 
vehicle engine start valves. Switchover from orbiter crew command control 
to upper stage vehicle internal control should occur only when the orbiter 
is either out of hazard range entirely or is capable of performing evasive 
maneuvers to avoid a failed upper stage vehicle under the case of maximum 
possible vehicle acceleration. 

A;L7 ORBITER CARGO BAY ISOLATION 

Several orbiter hazards from upper stage vehicles or any one of a 
variety of payloads could propagate into orbiter equipment through proximity; 
e.g., overpressure from leakage, pressure shock from explosion, shrapnel 
impingement from explosion, and excessive heat transfer from fire. In case 
of emergencies resulting from such hazards, remedial action must be taken 
by the orbiter crew in order to return safely to the ground. 


The orbiter equipment necessary for de-orbit, reentry, and landing must 
remain in a safe operating mode, but orbiter equipment surrounding the cargo 
bay has a higher chance of being damaged than remote equipment. Much equip- 
ment must be placed in and near the cargo bay because of functional require- 
ments and in order to minimize the orbiter total volume. Orbiter equipment 
required for safe return should not be placed in exposed positions around 
the cargo bay because of the added risk. In addition, damage to this nearby 
equipment can be prevented from affecting remote equipment by the expedient 
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of isolation. Isolation can be implemented by interlocks or shutoff valves 
within branches of the subsystem, or by separate subsystems which interface 
through isolating components; e.g., cathode followers, heat exchangers, and 
information storage. 

Isolation of the external interface between or biter and upper stage 
vehicle requires consideration of fragment barriers and thermal insulation. 
These safety devices could be placed on each payload according to the 
peculiar requirements or on the orbiter as a minimum common requirement 
that does not penalize upper stage performance; e.g., a single insulation on 
the orbiter cargo bay surface (inner or outer) which ameliorates all three 
effects. 

The orbiter cargo venting system should be isolated from the rest of 
the orbiter venting system. Interstices between the orbiter tanks and 
conduits need to be vented to the atmosphere and space during ascent and 
re-entry. Combining the vent system for the two volumes would increase the 
number of failure modes applicable to the orbiter tanks; e.g., corrosion 
from upper stage vehicle, co rosive fluid leakage and increased heat trans- 
fer into orbiter cryogenic propellants (for orbiters with internal hydrogen 
and/or oxygen tanks). Leakage from any upper stage vehicle would destroy 
the hard vacuum surrounding orbiter cryogenic tanks which is necessary for 
insulation effectiveness. In addition, any leak in the orbiter tanks 
would increase the pressure experienced by the orbiter cargo bay. Providing 
a separate venting system for each volume would confine failures to the 
locality of the initial failures, and would improve the possibility of 
remedial action. 

In summary, the orbiter cargo bay venting system should normally be 
separate from the orbiter tank volume venting system. Always- open vent 
holes to space could be used for both. Vent requirements could be satisfied 
by relief valves between the two volumes (simultaneous emergencies in both 
volumes are unlikely) or between each volume and space. The more likely 
small leaks should be well within the always-open vent capacities determined 
by launch and re-entry requirements. Requirements of open shuttle cargo 
bay doors and avoidance of internal confined volumes would provide the 
maximum venting over the longest time period. The current orbiter time-line 
includes short periods of operation in orbit with the cargo bay doors closed 
immediately on achieving orbit and again before de-orbit. 

A. 18 ROCKET ENGINE INSTABILITY 

Rocket engines utilize very high temperature gases in the violent 
chemical reaction of combustion to provide efficient thzust in space. 

Control of this process is primarily empirical in current designs. Extensive 
testing is required to explore the stable region of the particular design 
used and safeguards are provided for insuring operation only within that 
region, but uncontrolled combustion is still possible. The effects of 
uncontrolled combustion are catastrophic to the engine and immediate surr 
roundings through flame, shrapnel, loss of full thrust, and misdirect .d 
thrust. 
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Checkout of attitude control engines before upper stage vehicle release , 
if required, should occur in the fully extended position, if possible. 
Attitude hold immediately following release should be performed by cold gas 
jets or by engines on the opposite side of the upper stage vehicle from the 
orbiter. 

Intentional operation of upper stage vehicle main rocket engines should 
be planned only when remote from the orbiter, and main engine bum should be 
initiated at a distance from which evasive action by the orbiter could 
prevent damage or collision. Return of an upper "'*ge vehicle to the orbiter 
can be performed in a similar manner; e.g., turn orf upper stage vehicle 
main engine before orbiter approach and switch to cold gas jets when near the 
orbiter • 

A. 19 HAZARDOUS FLUIDS IN 1971 BLUE BOOK EXPERIMENTS 

An analysis was made of the 1971 Blue Book to Identify fluids which are 
specif lud In the various experiments. Tables A-12 through A-18 present the 
1971 Blue Book experiments, by discipline, with the associated fluids where 
specified. Quantities, pressures, volumes and other relevant parameters are 
shown where available. 
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Table A- 13 . 1971 Blue Book - Volume 111 OPhysics) 
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Table A-13. 1971 Blue Book - Volume III (Physics) 















Table A- 14. 1971 Blue Book - Volume IV 

(Earth Observations) 
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Table A-17. 1971 Blue Book - Volume VII (T - Technology) 
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FLUID MANAGEMENT Fluids which will primaril; 

support Life Support, Spac 
Propulsion and other fluid 
systems 


2.4.1 Liquid/Vapor Interface Freon 11 Resupply - None 

Stability Hexane, Methanol, 450 lb 
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7.4.4 Behavioral Effects 
and Performance in 
Rotogravitatlon 
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A. 20 RADIOACTIVE EXPERIMENT SOURCES 

The radioactive sources identified from a review of the 1971 NASA 
Experiments Blue Book are listed in Table A-19. . 


Table A~19. Identified Radioactive Sources 


Source 

Quantity 

Discipline 

Experiment 

Usage 

Co 60 or Cs 137 

2-3 curies 

Life Sciences 

Radiobiology 

Gamma Isotope 
Radiation Source. 

C-14 Methionine 

Unknown 

Life Sciences 

Role of gravity 
in life processes 
of microscopic 
organisms arid 
cultured tissues. 


Sr 89 

10 milli- 
curies 

i 

Life Sciences 

Effect of the 
space environment 
on invertebrate 
behavior. 

Radiation Source 
for tribolium 
experiments . 


As can be seen from the above table , cobalt-60 and cesium-137 Gamma 
Isotope Radiation Sources could present a significant radiation hazard if 
shielding is damaged while in the orbiter cargo bay or during cargo handling 
and transfer operations. Typical characteristics of 1 curie of these isotopes 
as shown below: 




Roentgens 

Roentgens 



Per Hour 

Per Hour 

Isotope 

Half-Life 

at 1 Ft 

at 1 Meter 

CO 60 

5.3 yr 

14.3 

1.3 

Cs* 37 

30 yr 

3.4 

0.32 


A radiation hazard due to spillage is not anticipated for Co^°, since 
it would be expected to be a solid metallic material and not subject to 
rupture; however, radioactive sources which are of a powdered form enclosed 
in capsules could present a spillage hazard. 

Shielding requirements for limiting design dose rates to 0.1 R/week in 
working areas are shown in Figure A-19 and illustrate typical Industrial 
design standards for Co^O and Cs^?. 

A. 21 MINIATURE AIRLOCK FOR PLUMBING INTERFACE CONNECTIONS 

A potential hazard during transfer of hazardous fluids between containers 
in mated modules via piping, is the possibility of fluid leakage from plumbing 
interface connections into habitable vehicle volumes. Safety considerations 
for the non -mated module make it desireable that terminal points of transfer 
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lines for hazardous fluid containers be vented to space. However, after 
mating it is desirable to make module plumbing interface connections in a 
shirtsleeve environment, but perform subsequent transfer operations with the 
plumbing interface connections vented to space. A possible way to accomplish 
these objectives is through use of a miniature airlock which is described, 
including operations, in Figure A-20, 


A. 22 BOMB BLANKET 

A cursory investigation was conducted to determine the feasibility of 
employing bomb blankets, similar to bomb blankets used by police department 
bomb squads, to contain explosions of pressure vessels and pyrotechnic devices. 
Contact with the Los Angeles Police Department Bomb Squad provided the follow- 
ing information on the commercially available blankets. 

Blanket Manufacturer : 

Davis Bomb Blanket Corporation 

Scutters and Woodbone Ave. 

North Port, Long Island 11768 

Blanket Characteristics: 


1.2m x 1.2m x 0.6cm f 4 ft x 4 ft x 1/4 in) 

11 kg (25 lb) 

Laminated Ballistic Material 
MK2 hand grenade and various pipe bombs 
ranging in size from 1.3cm (1/2 in) to 
3.8cm (1 1/2 in) internal diameter x up 
to 20cm (8 in) length filled with various 
types of gunpowder. 

Test Results: Limited shock wave reduction with approxi- 

mately 90% shrapnel containment. 

The use of such blankets does not appear feasible for protecting large 
pressure vessels because of the large weight penalties involved and the 
ability to prevent shrapnel from small TNT equivalents only. Technology 
advances in blanket material and design could possible improve the controll- 
able energy levels to values of the order of pounds of TNT equivalent. An 
additional disadvantage is that total shrapnel containment is not accomplished. 

It appears feasible however, that the blankets, with modification to 
improve shrapnel containment, could be used to (1) contain explosions and 
shrapnel of pressure vessels with energy levels on the order of 0,01 kg 
(0.022 lb) TNT equivalent, (2) provide portable temporary blast shields 
for personnel performing non-routing maintenance in potentially hazardous 
volumes, (3) provide portable temporary blast shield for personnel perform- 
ing repair or disarmament of misfied pyrotechnic devices, or other potentially 
explosive elements, and (4) provide a blast shield between adjacent pressure 
vessels. 

It is of interest to note that any development effort in this area 
would have direct applicability to civilian police departments. 


Size: 

Weight: 

Material: 

Test Devices: 
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Mating 

Interface 


To Fluid Receiving 
Vessel 


Miniature 

Airlock 


»*V' 


— 


. Inspection 
Window (Optional) 


Supply 

Vehicle 


-v I ^ 


Receiving 

Vehicle 


rslSl = Pressurized habitable volume 
I | * Airlock or volume vented to space 


- Perform mating of supply vehicle to receiving vehicle 

- Perform plumbing interface connections in pressurized habitable environment 

- Vent airlock to space 

- Perform and monitor fluid transfer operations 

- Vent pluabing to space or purge with inert gas to clear lines of any 
residual toxic fluid 

- Pressurize airlock 

- Remove plunbing interface connections 


Figure A- 20. Miniature Airlock for Plumbing Interface Connections 
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A. 23 MAN-COMPATIBILITY OF TUG WHILE IN OR NEAR ORBITER 

Upper stage vehicles must be man-compatible; i.e., man rating safety 
criteria must be applied to systems and functions of the upper stage vehicle 
which could create a hazard to the orblter while the upper stage vehicle is in 
or near the orblter. The term man-rating , while not strictly defined, means 
that the safety, l.e., lack of hazards to the Shuttle and Shuttle personnel, 
has been adequately demonstrated so that the residual risks to personnel 
are judged to be acceptable. This is, of course, a subjective matter and 
no definite man-rating criteria can be cited. 

On the Saturn S-II and Apollo CSM programs, two successful unmanned 
flights were the last phases of man-rating a new launch vehicle. It is not 
clear what the equivalent requirement is for upper stage vehicles, since the 
mission phases which require man-compatibility are the relatively passive 
phases of launch, boost, on-orbit deployment and retrieval, deorbit, re- 
entry, and landing. 

The test requirements for man-compatibility must therefore be. developed, 
and must be consistent with the corresponding man-rating requirements on the 
Shuttle . 

One possibility is that a safe unmanned test be performed on the 
Shuttle, in which one or both propellants are replaced by equivalent fluids 
which cannot react chemically. For example, LO 2 /LH 2 vehicles may be launched 
into orbit and returned to earth using L^/LH^* The liquid nitrogen will 
provide an adequate simulation of the liquid oxygen, but neither the nitrogen 
nor the hydrogen on their own, nor in combination, can produce a chemical 
reaction. Other propellants can be replaced by chemically inert fluids with 
analogous density, thermal, and other properties. Such a flight test can 
also be used to satisfy man-compatibility requirements; but it can also be 
used as a part of the vehicle qualification testing because the Shuttle 
environment is perfectly reproduced. Such combined testing may prove very 
cost effective, replacing a large portion of the ground qualification test- 
ing, as well as man-rating the vehicle. 

An alternative man-compatibility test may consist of launching the 
upper stage vehicle into orbit as a kick stage, using a booster which exhibits 
environments at least as severe as the Shuttle. Such a test Imposes design 
constraints on new upper stage vehicles (i.e., the tug/OOS) to make it com- 
patible with the Shuttle orblter and the other booster. 
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APPENDIX B. 

SUPPORTING ANALYSES-DOCKING 


This appendix presents supporting analyses performed during Task 2, 
Analysis of Earth Orbital Shut tie /Modular Space Station Docking Options. 

It should be read as a technical appendix to Section 3.0 of this volume. 

B.l DOCKING DYNAMICS WITH DOCKING PORTS OFFSET FROM THE CENTERS OF MASS 

The current experience of docking on the Gemini and Apollo programs 
has dealt with the situation in which the centerlines of the docking ports 
were essentially aligned with the centers of mess of the two docking vehi- 
cles. This results in minimum angular motions upon contact. 

The current configurations of the orbiter and the modular space station 
result in docking port alignments which are offset from the respective 
centers of mass, as shown in Figure B-l. This leads to an angular motion 
of the two vehicles upon initial docking contact, which must be cancelled 
out by the attitude control systems of the vehicles (or by the manipulator, 
where used for the final docking, if this has the necessary torque capability). 
The direction of the angular motions (assuming zero angular rates before con- 
tact) will be in the same direction for the two vehicles if the docking port 
lies between the two centers of mass, (see Figure B-2A) , or in opposite 
directions if both centers of mass are on the same side of the center of 
mass (see Figure B-2B) . The angular velocity of each vehicle depends on 
the contact velocity, the vehicle mass, moments of Inertia and distance of 
the center of mass from the docking port. The velocities for the two vehicles 
will in general be different, and if the necessary corrections are not 
promptly applied by the attitude control systems, contact with tne two vehi- 
cles with consequent damage will result. The dynamics of the situation, the 
angular rates and angular excursions reached, as well as the conseuqences of 
a control system failure at the critical moment are therefore of interest 
from the safety point of view, and are examined here for typical situations. 

Four cases have been analyzed, using combinations of a large and a 
small orbiter docking respectively to a large and a small space statioi 
The large orbiter is representative of the fully re-usable orbiter with 
built-in propellant tanks, as studied in the Phase B Shuttle Study. Tht. 
small orbiter is representative of the orbiter with separatable propellant 
tanks, as studied in the Phase B Shuttle extension studies. The large and 
small space stations represent different stages of build-up, the large one 
being the built-up 6-man version, and the small being the single module 
launched initially. 
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Figure B-l, Typical Orbiter to Station Docking Configurations Showing 
Relative Positions of Centers of Mass and Docking Ports. 



Figure B-2. Direction of Initial Angular Motions Following Docking. 
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Table B-l shows the mass p.operties and relevant dimensions for the 
four cases (see Figure B-l for the definition of the dimensions) . These 
properties are typical of orbiters and s tit ions studied in the NR phase B 
shuttle and station studies. 


Table B-l. Mass Properties and Dimensions of Four 
Cases of Orbiter to Station Docking 


Case 

1 

2 

3 

4 

Orbiter 

Large 

Small 

Large 

Small 

Station 

Large 

Large 

Small 

Small 

Orbiter Properties 





Mass, kg x 10 ^ (slugs) 

15(10,000) 

8(5,500) 

15(10,000) 

8(5,500) 

Moments of Inertia 





kg . m^xlO^ ( s lug . f t 2x10^) 

26 (20) 

8 (6) 

26 (20) 

8 (6) 

"a", m (ft) 

21 (71) 

21 (71) 

21 (71) 

21 (71) 

Station Properties 

I 

1 

j 


Mass, kg x 10^ (slugs) 

5 (3500) 

5 ( 3500) 

1 (700) 

| 

1 (700) 

Moments of Inertxa 



1 


kg.m^xlO^slug. f t^xlO^) 

1.7 (1.3) 

1.7 (1.3) 

0.13 (0.1) 

0.13 (O.i; 

"b", m (ft) 

4.5 (15) 

4.5 (15) 

3 (10) 

i 

3 (10) 


The angular excursion which will be experienced depends on the initial 
angular velocity and the control authority available from the vehicle attitude 
control system. This authority differs by orders of magnitude between the 
orbiter and station. The orbiter uses reaction control jets of 9500 N (2100 lb) 
thrust on the NR design, and 7100 N (1600 lb) on the MDAC design. The space 
station jets, on the other hand, are 45 and 90 N (10 and 20 lb) respectively 
on the NR and MDAC designs, with moment arms smaller than on the orbiter. 

The capability for applying torques is 150 to 1000 times larger on the orbiter 
than on the station, and taking the differences in moments of inertia into 
account, the control authority (expressed as angular acceleration capability) 
is ^nywhere from 2.2 to 125 times larger on the orbiter than on the station. 

The least control authority exists on the large, built-up space station, which 
has the relatively large moments of inertia, but only 45 to 90 N (10 to 20 lb) 
jets, '"his can only produce angular accelerations (in the pitch plane) of 
about .01 deg/sec^. 
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Because the station control system has the lesser control authority, 
and hence the greater potential for problems, the remaining analysis is con- 
cerned with the station only. Table B-2 shows the angular rates, decelera- 
tions, and other parameters of interest for the four cases considered. The 
docking impact velocity is taken to be 0.3 m/sec (1 ft/sec) and the control 
moment that can be applied 545 N.m (400 lb. ft). 


Table B-2. Angular Motion of Space Station Following Docking 
With Orbiter at 0.3 m/sec (1 ft/sec) and 545 N.m. 
(400 lb. ft) Control Moment 


Case 

1 

2 

3 

4 

Initial Angular 
Velocity, deg/sec 

0.8 

0.45 

2.1 

1.6 

Deceleration, 

•y 7 

deg/sec^ 

1 

0.01 

0.01 

0.14 

0.14 

Angular Excursion, 
deg. 

32 

10 

16 

9 

Time to Decelerate, 
sec. 

72 

39 

15 

12 


The table shows that the worst situation occurs in Case 1, in which 
a large orbiter docks to a large station. The large inertias involved, 
transfer a substantial angular momentum to the station, and this turns 
through a 32 degree angle (assuming that the initial capture latches hold) , 
in 72 seconds, before the motion is arrested. This obviously poses geometric 
problems, both in the detail design of the docking mechanism itself to allow 
for such angular misalignments, and in the potential of inadvertent contact 
between the vehicles. 

For the other cases, the combination of inertias may lead to larger or 
smaller initial angular velocities, but the resulting angular excursions are 
less. 


The above example assumed a docking velocity, V, of 0.3 m/sec (1 ft/sec) 
and a control moment, M of 545 N.m (400 lb. ft). For other values of these 
parameters the results vary as follows: 


o 

Angular 

acceleration 

oc 

M 

o 

Angular 

velocity 

o c 

V 

o 

Angular 

excursion 

OC 

V 2 /M 

o 

Time to 

decelerate 

oc 

V/M 
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The problems associated with the large angular excursions can thus be 
considerably alleviated by reducing the docking velocity, V. For example, 
at 0.12 m/sec (0.4 m/sec), cs planned on the MDAC station, the 32 degrees 
excursion for Case 1 Is reduced to 8 degrees. The excursion Is further 
reduced to about 4 degrees by using the larger control jets of 90 N (20 lb) 
used In the MDAC station design. 

At the docking velocities used by the manipulator system, of 0.03 m/sec 
(0.1 ft/sec), the problem essentially vanishes, with an angular excursion 
of 0.3 degrees. This sensitivity to docking velocity and control moments 
is shown in Figure B-3. 

Similar considerations show that the orbiter, with control authority 
about two orders of magnitude greater than the station, can counteract 
angular motions practically instantaneously, and does not have this kind of 
problem. 

A serious hazard occurs if the attitude control system falls after 
capture, but before motion has been arrested and the vehicles stabilized. 

If this happens, the attected vehicle will continue its angular motion, 
the docking interface will be broken, and the vehicles will collide with 
each other. The docking interface will not normally be rlgidized until the 
docking transients have been thoroughly damped, so that the docking port 
will not at this time be in a configuration to transmit corrective moments 
applied by the other vehicle’s control system. This is a particularly diffi- 
cult problem if the failure occurs on the station. The orbiter, with its 
larger control authority, will have inertially stabilized itself practically 
instantaneously, but the station will keep on moving. 

The obvious solution is to rapidly undock and back the orbiter away 
from the station so as to avoid damage. In such a case, however, if the 
station control system problem cannot be corrected, it may be impossible 
to ever re-dock to the staion again, and the station would have to be 
abandoned, with an emergency EVA evacuation by the station personnel. 

The recommended solution is to fly the orbiter so that it follows the 
space station motion. This would involve complex sensing devices or proced- 
ures, to track the station angular motions, and possible minimum Impulse 
attitude adjustments on the orbiter. This maneuvering would continue until 
the angular motions of the two vehicles have been damped out enough to enable 
rigidizing to be performed while the two vehicles are still rotating in 
inertial space. Once rigidizing has occurred, the orbiter can transmit 
moments through the docking port, and stop the motion of both vehicles. 

If the failure is in the control system of the orbiter, the suggested 
corrective procedures can be applied in reverse, with the station tracking 
the orbiter motion until the two vehicles can be rlgidized and the motion 
arrested. The corrective action will in this case be much slower, and the 
sensing devices could be simpler, possibly even visual inspection. 



B-5 



SD 72-SA-0094-2 







Space Division 

North American Rockwell 


If the manipulators are used for docking, then the same problem can 
arise, and the same corrective procedures applied, if the control system 
failure is in the control system of the manipulator. In this case, however, 
the motion is much less than for direct docking because of the dynamics 
(as shown above) , the manipulators could possibly provide some damping 
torques, and the station attitude control system provides a back-up to the 
manipulator control system. This problem is therefore not very severe where 
manipulators are used for docking. 

E. 2 NON-COLLISION DOCKING APPROACH VECTOR 

A potential hazard exists when two docking vehicles approach each 
other on a line-of-site course, as usually planned for the final docking 
maneuver. This is essentially a collision course, and if a control system 
failure occurs on the active vehicle, so that the final velocity, reductions 
cannot be achieved, a collision will occur at a velocity higher than the 
capability of the docking system, with consequent damage. 

In order to avoid this hazard, a new procedure is suggested here, 
which avoids the possibility of an inadvertent collision at too high a 
velocity. This consists, of aiming the approach velocity vector not at the 
docking port of the target vehicle, but at an imaginary "pseudo-target" 
some distance to one side of the target vehicle. This is illustrated in 
Figure B-4. The pseudo-target is sufficiently to the side of the target 
vehicle that if a control system failure should occur, the active vehicle 
passes by the target without the possibility of contact. Some margin may 
be allowed for possible rotations and errors. 

This non-collision approach vector is maintained while the velocity 
of the active vehicle is above the docking system attenuation capability. 
Deceleration through the various "braking gates" occurs along this direction. 
The velocity vector is only changed to be on a line-of-site, or collision, 
course when its velocity has been reduced to with thedocking system attenua- 
tion capability. If a control system failure occurs now, the docking system 
can withstand the collision without damage. 

The method is illustrated in Figure B-4. This shows how the original 
vector and the pseudo-target are selected, so as to avoid potential contact, 
and how the final velocity correction is applied to bring the two vehicles 
together at 0.12 m/sec (0.4 ft/sec), the assumed docking velocity. The 
final directional change must be made at the correct time, when the two 
docking systems are opposite each other. 

A number of options are available in applying this procedure. Firstly, 
the active vehicle may be oriented orthogonally to the target vehicle, so 
that it is moving crab-Hrise until the final velocity change. This is the 
way illustrated, and does not require a re-orientation of the vehicle, but 
only of its velocity vector. Alternatively the vehicle may be oriented in 
the direction of the approach velocity, i.e., towards the pseudo-target, and 
change orientation at the same time as the velocity vector. 
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Figure B-4. Non-collision Docking Approach. 
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The other option refers to the final braking maneuver. In the figure 
shown, the velocity is reduced to 0.12 m/sec (0.4 ft/sec) while still point- 
ing towards the pseudo-target, and a relatively small correction applied 
when opposite the target, which does not change the magnitude of the velocity, 
but only its direction. Alternatives to this consist of making a combined 
final correction in the final braking gate, (which is relatively complex 
in timing and direction, but minimizes propellant usage) ; or first coming 
to an absolute halt opposite the target, and then accelerating on the final 
line-of-slte vector (which simplifies the procedure, but increases propellant 
usage) . 

Two potential difficulties can be foreseen with this procedure. Firstly, 
the guidance of the vehicle towards a non-existent pseudo- target is a more 
complex maneuver than a simple line-of-slte approach. It may be found, 
however, that a "bias" can be introduced simply and reliably into the optical 
system. The angle of view of the target vehicle will continually change, 
however. 



Secondly, the attitude control system programming is more complex, 
possibly requiring more propellants, and more complex computer aided 
controls. If the orientation of the active vehicle is maintained constant, 
the braking maneuvers require simultaneous firing of several jets in a pre- 
determined but constant ration, and this is a non-optimum use of the system. 

The safety advantages, of completely avoiding the possibility of an 
inadvertent collision at a velocity to cause damage, must be evaluated 
against the potential disadvantages pointed out. This preliminary evalua- 
tion indicates that the advantages may be worth the penalties involved. A 
fuller evaluation of the method, including simulations with visual displays, 
should be made. 
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APPENDIX C 


SUPPORTING ANALYSIS-ON BOARD SURVIVABILITY 


This appendix presents supporting analysis performed during Task 3, 
Analysis of Traffic Patterns, Escape Routes, and Compartment Isolation. It 
should be read as a technical appendix to Section 4.3 of this volume. 

C.l Flood Flow Rate 

A rapid loss of pressure in an inhabited pressure volume can result in 
loss of personnel if evacuation of the compartment to a succor volume, the 
donning and utilization of pressure suits, or repair of- the leak cannot be 
accomplished in sufficient time. One method proposed in the tekt, to en- 
hance crew reaction time to cope with a depressurization emergency, Involved 
the flooding of the affected volume with atmosphere at a rate which is at 
least equivalent to that at which it is being lost to space. This flooding 
operation need not be initiated until the atmosphere pressure level is 
approaching the minimum, below which the crew cannot function or survive. 

This level is nominally estimated to be approximately 8 psi. If the crew 
has evacuated the compartment and it is necessary to re-enter the compart- 
ment after it has dropped below the minimum acceptable pressure, the flood 
flow rate of atmosphere required must exceed the loss rate. 

The atmosphere flood flow rate required to maintain compartment press- 
ures between 4.82 x 1()4 n/m^ (7 psia) and 10.12 x 10^ n/m^ (14.7 psia), as 
a function of the hole diameter through which atmosphere is being lost to 
space, is shown in Figure C-l. The flood flow rate Is Independent of the 
compartment volume. 

From the chart It can be seen that, for a 2,54 cm (1 In) diameter hole, 
a flood flow rate of approximately 7.7 kg/min (17 lb/sec) Is required to 
maintain the atmospheric pressure at 10.12 x 10^ n/m? (14.7 psia). The 
reaction time gained for any reserved quantity of flood flow atmosphere 
would be added to the time involved to reduce the affected compartment 
pressure to the level at which flood flow is initiated to arrive at the 
total afforded reaction time. For example, 77 kg (170 lb) of stored atmos- 
phere can extend the crew reaction time to cope with a 2,54 cm (1 in) hole 
in a 56.8 m^ (2000 ft^) orbiter crew/passenger compartment by 10 minutes; i.e., 
from 6 to 16 minutes. 

C . 2 EMERGENCIES/ CONFIGURATION OPTIONS RELATED TO EVA AND IVA 

The inability to open or close hatches during IVA (Intravehicular Activity) 
or EVA (Extravehicular Activity) is a potential hazard which affects orbiter, 
station, and sortie module escape routes and compartmentatlon requirements. 

IVA is defined as suited crew operations within the structural confines of 
a vehicle while EVA is suited crew operations outside the structural confines 
of the vehicle. 
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Figure C-l. Atmosphere Flood Flow Rate vs. Hole Size 


The performance of IVA and EVA during a time in which other crewmen 
are unsuited , requires airlock capability within the vehicle. The various 
configuration options which can result from the most simple airlock con- 
figuration (an airlock with two hatches) when an inoperative hatch (Inability 
to open or close) is considered, are shown in Figure .03 for EVA and Figure 
02 for IVA. The inability to open an external hatch in an airlock from 
which EVA egress was performed is not considered credible, and is therefore 
not accounted for in the assessment of impact because the hatch, after initial 
opening, would normally be left open during the performance of EVA. Reference 
is made to Table C-l for typical IVA and EVA operations. 

Configuration alternatives, shown with hatches and volumes which are 
in addition to the basic configuration drawn with dashed lines, range from 
8 imply back to back or redundant hatches within the baseline airlock to 
multiple completely Independent and redundant airlocks. 

Examination of the EVA composite configurations of Figure C-2, the 
resulting configuration when the hatch and Independent volume requirements 
are combined for Inability to open or close a hatch, shows that a minimum 
of four hatches within the airlock, or four hatches confined with the air- 
lock and an additional pressure volume are required to cope with an inopera- 
tive airlock hatch during EVA. 
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Figure C— 2, Impact of Inoperative Airlock Hatch During EVA 
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Table C-l. Typical Operations for Performing IVA or EVA 


| EVA 


Vol 

/ol 

Vol 

A 

B 

C 


(Airlock) 




Operation 

Applicability 


Sequential Operation IVA EVA 


Enter Airlock X 

Don Pressure Suits (Less Helmet and gloves) X 

* Don Pre-Breath Unit X 

* Perform Pre-Breathing (Approximately 3 Hours) X 

Don PLSS or Attach Umbilical X 

Close Airlock Hatches X 

* Doff Pre-Breath Unit X 

Don Helmet and Gloves X 

De-Pressurlze Airlock X 

Open EVA Hatch 

Open IVA Hatch X 

Exit and Perform EVA 

Exit and iarform IVA X 

Enter Airlock X 

Close EVA Hatch 

Close IVA Hatch X 

Repressurize Airlock X 

Open IVA Hatches X 

Doff Suits and PLSS or Detach Umbilical X 

End IVA or EVA Sequence X 


* Required only for 3.7 pslg suits , pre-breathing is 
not required for 8 pslg suit. 
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A similar evaluation of the Impact of an inoperative hatch during IVA 
operations is shown in Figure C-3. A minimum of four hatches on two adjacent 
airlocks or six hatches, two pairs of which are back to back in a single 
airlock, are required for protection against an inoperative hatch during 
IVA. A unique alternate method for performing IVA is, however, available 
as can be seen from Option D. In this option an EVA route is used as a 
backup for IVA. The primary disadvantage with this option is that it requires 
six hatches and three independent airlocks. An alternate configuration which 
can employ use of an EVA route for IVA backup is shown in Option E. As can 
be seen from the chart, this option requires seven hatches and two independent 
airlocks . 

C.3 TEMPERATURE AND PRESSURE EFFECTS OF FIRE 

During the analysis of the impact of a fire/toxic environment on 
vehicle configuration, subsystems, and operation, several questions arose 
which required further analysis. These are (1) what temperature range can 
be reached in a compartment of given volume if a fire in the compartment is 
permitted to burn until it is extinguished by the gradual depletion of oxygen? 
and (2) if it were required to limit the thermal energy allowable in a given 
compartment to control the potential effects of a fire, what is the relation- 
ship between available thermal energy, compartment volume, and produced heat 
and pressure. 

A simple calculation, which assumed that a combustible source with k e 
thermal capacity approximately that of coal 33 x 10^ Joules /kg (15000 btu/lb) 
was burned in a compartment until all oxygen in the compartment was depleted, 
showed that the temperature in the compartment could approach 2573°K (4500°F) 
if all the generated heat were absorbed by the atmosphere. 

This value is well beyond the survival capability of the structure and 
subsystems of any vehicle. Although in a real situation, the generated heat 
would also be absorbed in the structure and other material and partially 
dissipated to space, the magnitude of the feasible temperature and the possi- 
bility that the fire could be of sufficiently rapid combustion to render heat 
absorption rates of media other than the atmosphere negligible leads to the 
conclusion that letting a fire burn out from lack of oxygen is not acceptable. 

The effect of releasing a given quantity of thermal energy into a known 
compartment volume, which relates to the second question, is shown in Figure 
C-4. As shown on the chart, the pressure of a typical volume for the orbiter 
crew/passenger compartment, 566 m3 (2000 ft3) , would be increased between 
7 kn/n»2 (1 psi) and 14 kn/m? (2 psi) and the temperature increased by 283°K 
(50°F) from 294°K (70°F) to 322°K (120°F) for a thermal input of 2.1 x 10 6 
Joules (2 x lO^ btu’s). The temperature limit of 322°K (120°F) is indicated 
because it is estimated that above this temperature crew evacuation from the 
compartment would be required. Although the pressure increases shown do not 
appear large, structural damage can occur if these potential increases are 
not accounted for in design. A fire isolatable compartment, which requires 
a slight delta pressure between it and the affected volume to prevent smoke 
and fume contamination can also be rendered ineffective with such slight 
pressure deltas. 
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C.A FALLIBILITY Or DUAL EGRESS CRITERIA 

Concern over the possible entrapment of personnel in a volume due to an 
emergency in the volume which has blocked the only egress path to safety led 
in this study, as well as in previous studies to a dual egress criterion. 

In addition to providing for dual shirtsleeve egress capability, the pre- 
vention of crew isolation through forced egress into non-common volumes is 
inherent in its intent. 

The dual egress criterion as expressed in a previous ^safety study 
performed for MSC is as follows: 

"Each compartment should have a minimum of two escape routes which 

should not terminate in a coranor compartment" 

A compartmentation arrangement which satisfies this criterion is shown 
in the diagram below. 



It can be seen from the diagram, however, that even though the dual 
egress criteria is satisfied as stated, personnel can still become isolated 
from one another. An emergency in compartment A which blocks either egress 
opening divides the vehicle into two parts in which compartments B, C, and 
F become isolated from compartments B, E, and G. These compartments can be 
made accessible to one another if an access route or opening were provided 
between compartments C and D or F and G. 


♦Contract NAS9-9046, Space Station Safety Study, Document MSC-00189, dated 
January 1970 
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C.5 PASSENGER TRANSFER TIME - AIRLOCK TO CREW/ PASSENGER COMPARTMENT 

The recommended approach to cope with loss of pressurization In the 
crew/passenger compartment of the baseline orblter configuration, as 
Identified In section A. 3. 3. 3 of this report, Is for the passengers to 
egress to the airlock while the crew dons pressure suits (which do not 
require pre-breathing) and proceeds to perform an abort from the depressurized 
compartment . 

Because an orbital abort may require In excess of 6 hours for orbital 
phasing with and landing at a CONUS (Continental United States) landing 
site and may result In normal entry maneuver, and landing acceleration 
loads approach 3 g’s, passenger abort In the airlock requires that the 
airlock be fitted with emergency type life support and passenger restraint 
provisions. Reference is made to Figure A. 3. 3-5 for one concept, previously 
identified and discussed in section A. 3. 3-3, of providing emergency restraints 
within the airlock. Because of the questionable capability of emergency type 
restraint devices, such as the hammock type employed in the referenced figure, 
to limit and control directional body excursions to prevent crew injury 
during an emergency landing in which impact and braking accelerations will 
be approximately double than those anticipated for normal entry and vehicle 
maneuvers , the recommendation was made to return the passengers to their 
respective landing positions in the crew/passenger compartment after the 
orbiter re-enters the sensible atmosphere and the cabin is re-pressurized 
to a habitable environment. 

This recommendation is based on an assessment of the time available, 
prior to landing, to transfer the passengers from the airlock to their 
seats in the passenger compartment. The maximum altitude at which the 
transfer can be made is that which can physiologically sustain the passengers 
and permit their functioning in a shirtsleeve environment. This criteria is 
satisfied only with an atmospheric pressure of approximately 5.5 X lO^ n/m l 
(8 psi) or above which corresponds not only to an altitude of A500 m (1500 
ft) , but to the nominal operating pressure level for IVA/EVA suits currently 
under development, which do not impose a pre-breathing requirement. 

The time available to transfer the passengers from the airlock to the 
passenger compartment is, therefore, equivalent to the difference in time 
between that when the orbiter has descended to A500 m (15,000 ft) and the 
event of touchdown. A typical orbiter descent timeline, which uses the 
nominal vehicle descent values of a 15 degree bank angle and a lift to 
drag ratio of seven (7) is shown in Figure C-5. As can be seen from the 
curve an altitude of A500 m (15,000 ft) is achieved approximately A to 5 
minutes prior to landing. This time is estimated to be sufficient for the 
personnel transfer provided that a time consuming period of pressure 
equalization between the airlock and passenger compartment is not required 
at the time of transfer. The need for special pressure equalization pro- 
cedures at the time personnel transfer is required can be eliminated if, 
when the abort is initiated or at a sufficient time before initiation of 
personnel transfer, pressure within the airlock is reduced to 5.5 X 10^ 
n/m 2 (8 psi) . Transfer would then be initiated upon an indication, via a 
sensor, that pressures within the two compartments were equalized. 
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APPENDIX D 

HAZARD/EMERGENCY ANALYSES 
1.0 INTRODUCTION AND SUMMARY 


\ 


This appendix of the Final report contains analyses of the hazards or 
emergencies identified during the study. The hazards /emergency analysis 
performed, with the requirements and guidelines that were developed, are 
contained in five sections, corresponding to the five tasks performed in the 
study. Each section is divided into subsections, according to the subtasks 
of each of the five tasks. 

The hazards and emergencies identified are specific to the study tasks, 
and must not be interpreted as a complete list of hazards or emergencies 
associated with the shuttle, shuttle payloads and space station. In particular, 
the hazards/emergencies considered are those that can occur in orbit only, in 
accordance with the scope of the study. Hazards/emergencies associated with 
pre launch, launch, boost, deorbit, reentry and landing are not considered. 

The hazards/ emergencies which were analyzed are generalized situations 
rather than hazards or emergencies specific to particular hardware, designs 
or operations. For example, each separate fluid tank presents individual 
hazards, according to its contents, pressure, volume, location, etc. All 
these hazards, however, are grouped i*nto explosion, corrosiveness, and toxicity 
hazards, without specifying the severity of each hazard associated with each 
tank. This was done for two reasons: firstly, to make the total number of 

hazard/emergency analyses for the total study manageable; and secondly, so as 
to make the resulting requirements and guidelines applicable irrespective of 
changes to the specific design concepts current at the time of the analyses. 

The requirements and guidelines which were generated were carefully 
worded so as to satisfy three criteria that were considered very important. 

These criteria are that the requirements and guidelines should: 

(a) be verifiable--!. e ., it should be possible to unambiguously 
verify whether each requirement or guideline has been met 
in the design or in the planned operations. Ambiguous or 
non-verifiable words such as "to the maximum extent possible" 
or "adequate" have therefore been avoided. 

(b) meet the mathematician's "necessary but sufficient" criterion-- 
i.e., they should specify every condition that must be met to 
satisfy the safety objective, but they should not specify more 
than is required for safety. The latter point is particularly 
important since the tendency is to select particular design 

or operational solutions which restrict the designer's choice, 
rather than stating only the requirement in general terms. 

(c) be written in precise and unambiguous language, suitable for 
incorporation into preliminary requirements specifications 
for Phases B or C. 
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A listing of the hazards and emergencies which have been identified and 
analyzed for each of the five tasks in the study is contained in Sections 2.5, 
3.7, and 4.1 of this volume. The disposition of each hazard/emergency is also 
indicated in these tables for the first two tasks. Since the purpose of the 
third task was not to eliminate or reduce the emergencies considered, but to 
provide the on-board survival following their occurrence, there is no cor- 
responding disposition of these emergencies. 

Hazards/emergencies can be disposed of into one or more of the following 
categories: 

0 Resolved Hazard. The recommended requirements and guidelines, 
when implemented, either eliminate the possibility of the hazard 
occurring; or reduce the potential effects of the hazard, if it 
does occur, so that neither injury to personnel nor damage to 
equipment can result. 

° Residual Hazard. The recommended requirements and guidelines, 
when implemented, do not entirely eliminate the potential 
occurrence of the hazard, or the possibility of injury to 
personnel or damage to equipment, however low the probability. 

Residual hazards are further classified as Acceptable Risks, 

SRT Requirements, and Unresolved Safety Issues. 

° Acceptable Risk. A residual hazard is an acceptable risk if 
the risk — i.e., the probability of occurrence and the potential 
damage that may result — are small enough after the recommended 
requirements and guidelines have been implemented, that no 
further safety measures need be taken to further reduce the risk. 

° Supporting Research and Technology (SRT) Requirements. It is 
not possible, with the present state of technological knowledge 
to determine if the hazard can be adequately resolved (Resolved 
Hazard), or if the risk can be sufficiently reduced (^ zceptable 
Risk). SRT requirements can be identified, however, which will 
reduce the hazard to an acceptable level, or determine the 
extent of the hazard. 

0 Unresolved Safety Issue. The nature of the hazard is such that 
no practical requirements, guidelines or SRT requirements have 
been identified which can resolve the hazard or reduce it to an 
acceptable risk. Continuous review is necessary of these 
unresolved safety issues during a program to reduce the risk as 
much as possible by design and other means. 
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2.0 TECHNICAL APPROACH 


The main purpose of performing hazards/emergency analyses is to identify 
safety requirements and guidelines in a methodical way. The format used was 
developed from hazard analyses performed on the Phase B Space Station and 
Shuttle contracts at NR/SD, and is illustrated in Figure 2-1. An 
explanation of the various features of this form follows. The item numbers 
below refer to the circled numbers in the figure. 

1. PROGRAM. An X indicates that at least one recommended 
requirement or guideline from this hazard/ emergency analysis 
is applicable to the appropriate program (Shuttle, Sortie or 
Station), and appears respects /ely in Volumes IV or V of 
this report. 

2. NO, Each hazard/emergency analysij is numbered sequentially 
with three nunbers in a decimal system. The first two 
numbers refer to the task and subdivision of the task in 
accordance with Table D-l, and the last three digit number is 
the sequential number for the hazard/emergency analyses within 
the subtask. (e.g., 2.1.003 refers :o the third hazard/emergency 
analysis for the first subdivision of task 2). 

3. DATE. This is the date on which the analysis was initiated. 

It is included as a guide to the reader as to the general 
concepts and programs which were current at the time of the 
analysis . 

4. HAZARD/ EMERGENCY. This describes the hazard or the emergency 
which is being considered, and contains identical wording as 
in Volume II. 

5. SOURCE. This cross-references to the section in Volume II 

in which the hazard or emergency is identified and/or discussed. 

Hie Roman numeral identifies the report volume (normally 
Volume II) and the subsequent number the specific section or 
sections of th'^t volume. 

6. ASSUMPTIONS. The validity of each hazard/emergency analysis 
is dependent on various assumptions. While it is very 
difficult at times to recognize that certain assumptions are 
implicit in an analysis, a strong effort has been made to 
identify and state all the relevant assunptions here. In this 
way each analysis can be reviewed at any time, and if the 
assumptions are still applicable, then the requirements and 
guidelines are still applicable; if there have been program 
changes so that the assumptions are no longer valid, then the 
whole hazard/emergency analysis should be reviewed. 
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Table D-l. Numbering System for Hazard/Emergency Analyses 


Hazard/Emergency 
Analysis Number 

Task 

Subdivision 

l.l.XXX 

Hazardous Payloads 

Upper stage vehicles 

1.2 .XXX 

II 

Hazardous Fluid Vessels 

1.3. XXX 

It 

Cargo handling and transfer 

2.1. XXX 

Docking 

Hazards common to all 
systems and modes 

2 .2 .XXX 

II 

Hazards specific to the 
direct docking system 

2. 3. XXX 

II 

Hazards specific to the 
extendable tunnel docking 
system 

2. 4. XXX 

II 

Hazards specific to the 
manipulator docking system 

2. 5. XXX 

19 

Hazards specific to free 
flying module docking mode 

3.1. XXX 

On-board 

Survivability 

— 
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In addition, assumptions which are applicable to all 
hazanls/emergency analyses for a particular task are defined 
in the baseline model for that task, 

7. POTENTIAL EFFECTS. The potential effects of the hazard or 

emergency are described briefly. Generally only the 
immediate effects are described. Since a good definition 
of the system is not available, configurations and designs 
can always be imagined in which even a minor effect could 
lead, by a chain of events, to a catastrophic situation. 
Therefore no attempt was made, in g eral, to trace all 
potential effects, since in every case these would have 
been the same: loss of personnel and loss of vehicle. 

Where the immediate effects could be predicted, however, 
these were described, as far as possible, in terms of injury 
or loss of personnel or of damage or loss of equipment; 

The objective of the hazard/emergency analysis, of course, 
is to identify practical requirements and guidelines which 
would either make the occurrence of the hazard or emergency 
impossible or extremely unlikely, or which would reduce the 
potential effects so that injury or damage will not result 
even if the hazard or emergency occurs. The potential effects 
therefore refer to before the requirements and guidelines are 
implemented. 

8. REQUIREMENTS § GUIDELINES. Individual requirements and guide- 
lines are identified here which will either prevent the hazard 
or emergency, make it less likely, or reduce the potential 
effects. The difference between a requirement and a guideline 
is as follows: 

o A requirement is regarded as a "must implement” 
item from the safety point of view. It eliminates 
an appreciable element of risk from the total 
spectrum of risks associated with the particular 
hazard or emergency. If recommended, a require- 
ment is therefore not considered as an item to 
be rejected for cost, weight or similar reasons, 
since it significantly impacts safety. 

o A guideline is regarded as a ’’strongly recommended” 
item from the safety point of view. It does not 
eliminate any appreciable element of risk, although 
it may reduce the occurrence or the resulting 
effects of the hazard. The increase in safety from 
a guideline in certain circumstances may not be 
commensurate with the penalties of implementing it, 

and therefore it may be traded off against cost, 
weight, etc. There is, in all cases, a safety 
penalty ^in the foim of exposure to some additional 
risk) whenever a guideline is not implemented, and 
this must be recognized whenever such a decision is 
taken. 


£. 
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The requirements and guidelines are numbered sequentially 
in each hazard/ emergency analysis. A letter behind the 
number indicates that the requirement or guideline is common 
to more than one hazard/emergency analysis. Such repeated 
requirements and guidelines are listed by the identifying 
analysis in front of each task. In a methodical perusal of the 
requirements and guidelines, the reader can therefore avoid 
re-reading items identified by a letter. 

9. CODE. A four digit code identifies certain judgments made 
against each requirement or guideline. The four digits of 
the code are explained in items 10 through 13 below. When- 
ever a requirement or guideline appears in more than one 
hazard/ emergency analysis, the identical code is used. 

10. RECOMMENDED (X) OR NOT (-) . For each hazard/emergency 
analysis a set of the identified requirements and guide- 
lines is recommended (by an X in the code). This recommended 
set is considered the best set of requirements to deal with 
the hazard or emergency. State-of-the-art, complexity, cost 
and weight were considered in arriving at the recommendations. 

Where a particular requirement or guideline is not recommended 
(indicated by a - sign), this was done on one of several 
grounds : 

(a) It is not practical (e.g., because it severely 
interferes with the mission objectives). 

(b) It is beyond the current state-of-the-art. 

(c) An alternative and preferred means of dealing 
with the particular risk exists in another 
recommended requirement or guideline. 

(d) Only a negligible increase in safety results. 

(e) New hazards are introduced which reduce or 
nullify any increase in safety. 

It should be noted that in many cases an item identified as 
a requirement is not recommended. This is done on one of 
the above grounds, and does not represent an inconsistency. 

It may represent a judgment that it is not practical or 
within the state-of-the-art to implement, or that the risk 
is eliminated by another (recommended) requirement. 

Only recommended requirements and guidelines are included 
in Volumes IV and V. 
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11. NO. OF HRPS (1, 2, 3, 4). HRPS refers to the Hazard 

Reduction Precedence Sequence of the NASA OMSF Safety Program 
Directive No. 1, Revision A (SPD-1A), 1700.120, December 12, 
1969. This is quoted verbatim as follows: 

"HAZARD REDUCTION PRECEDENCE SEQUENCE 

Actions for reducing hazards identified in above analyses 
shall be, in order or precedence, as specified in paragraphs 
1 through 5 of these requirements. 

1. Design for Minimum Hazard 

The major effort throughout the design phases shall be to 
insure inherent safety through the selection of 
appropriate design features as fail safe, redundancy, and 
increased ultimate safety factor. 

2. Safety Devices 

Known hazards which cannot be eliminated through design 
selection shall be reduced to the acceptable level through 
the use of appropriate safety devices as part of the system, 
subsystem, or equipment. 

3. Warning Devices 

Where it is not possible to preclude the existence or 
occurrence of a known hazard, devices shall be employed for 
the timely detection of the condition and the generation 
of an adequate warning signal. Warning signals and their 
application shall be designed to minimize the probability 
of wrong signals or of improper personnel reaction to the 
signals. 

4. Special Procedures 

Where it is not possible to reduce the magnitude of an 
existing or potential hazard through design, or the use of 
safety and warning devices, special procedures shall be 
developed to counter hazardous conditions for enhancement 
of ground and flight crew safety. Precautionary notations 
shall be standardized in accordance with the direction of 
the procuring activity. 

5. Residual Hazards 

Residual hazards for which safety or warning devices and 
special procedures cannot be developed or provided for 
counteracting the hazard shall be specifically identified 
v to safety and program management. Continuation of effort 

\ to eliminate or reduce such hazards shall be accomplished 
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throughout the program by maintaining awareness of new 
safety technology or devices being developed and their 
application to the residual hazards. Justification for 
the retention of residual hazards shall be documented." 

The numbers 1 through 4 therefore represent the appropriate 
paragraphs of the HRPS satisfied by the particular require- 
ment or guideline. No. 5, residual hazard, is not used here, 
since the term is reserved for the hazard or emergency as a 
whole (see item 15 below). 

1 2. REQUIREMENT (R) OR GUIDELINE (G). This identifies by the 
letter R or G whether this is considered a requirement or 
guideline, as explained in item 8. 

13. PREVENTIVE (P) OR REMEDIAL (R) . This indicates whether this 
particular requirement or guideline contributes towards 
preventing (P) the stated hazard/emergency (item 4), or towards 
remedying (R) the situation after the hazard or emergency has 
occurred. This does not refer to whether or not the require- 
ment or guideline prevents injury or damage following the 
occurrence of the hazard or emergency. 


14. RGD REF. This reference indicates the volume and section of 
the Requirements and Guidelines documents (Volumes IV-V ) of 
this report in which the individual requirements and guide- 
lines are documented. Thus,V-I-3.2 indicates Volume V, part 
I, section 3.2. The inclusion of a requirement or guideline 
in a particular volume, say Volume IV (Earth Orbital Shuttle), 
must not be taken as a decision that the requirement or guide - 
line must be implemented bv that particular program (the 
Shuttle in this case) or charged to that program . It indi- 
cates that provision will physically be implemented on that 
vehicle (the Shuttle). 

15. RESOLVED HAZARD. A hazard or emergency is considered to be 
resolved (for purposes of the study) if the recommended 
requirements and guidelines, when implemented, eliminate the 
possibility of injury or loss of personnel or damage to or 
loss of equipment from this particular hazard or emergency. 

A resolved hazard is indicated by an X in this box. 

16. RESIDUAL HAZARD. A hazard or emergency is considered to be 
residual if injury or loss of personnel o: damage to or loss 
of equipment is still possible from this hazard or emergency, 
even when tne recommended requirements and guidelines have 
been implemented. A residual hazard is indicated by an X 

in this box. Each hazard/emergency is classified either as 
a resolved hazard or a residual hazard. A further disposition 
of the residual hazards into acceptable risks, supporting 
research and technology requirements and unresolved safety 
issues is contained in Volume II of this report. 
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3.0 HAZARD/EMERGENCY ANALYSES 


This section contains the completed hazard/ emergency analyses. It is 
organized in five sections, 3.1 - 3.5, covering the analyses from the five 
individual tasks of the study. Each of these five sections is organized 
as follows: 

o A listirg of requirements and guidelines which are common to 
more than one hazard/emergency analysis, identified by letters 
whir’ are cross-referenced in the hazard/emergency analyses 
(s- - ''ction 2.0, item 8). 

o The hazard/emergency analyses, in numerical order (see section 
2.0, item 2) . 
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REQUIREMENTS AND GUIDELINES APPEARING IN MORE THAN ONE HAZARD /EMERGENCY 

ANALYSIS . 

1 . HAZARDOUS PAYLOADS 

A. Upper stage vehicle pressures shall be limited while In or near the 
shuttle such that the factors of safety are at least equal to 

the shuttle tank factors of safety. 

B. Gaseous content of upper stage vehicle tanks shall be small enough 
so that rapid isentropic expansion into the shuttle cargo bay will 
not result in overpressure. 

C. Tanks shall be designed so that failure due to overpressure will not 
produce shrapnel. 

D. Relief capability shall be provided for the upper stage vehicle tanks 
which automatically limit maximum pressure. Venting shall be to 
space or to a tank at lower pressure, and shall be arranged so that 
mutually reactive fluids cannot mix and result in a fire or explosion. 

E. An external container of sufficient size and strength to contain all 
upper stage vehicle contents shall be provided. 

F. Capability shall be provided to detect potential tank failures by 
measurement of fluid pressures, temperatures, tank strains, or 
other means . 

G. Capability shall be provided for the shuttle crew to vent and dump 
upper stage vehicle pressurized or hazardous fluids to space within the 
time constraints imposed by an abort situation. This capability shall 
be available with the cargo bays open or closed. 

H. Pressurizing gas on upper stage vehicles shall be turned off until 
immediately prior to release of the vehicle from the shuttle. 

I. Cargo bay thermal insulation shall be designed as a fragmentation 
blanket. 

J. Shuttle hardware required for abort shall be located remotely from 
the cargo bay, or protected against the potential effects of upper 
stage vehicle explosions which would not cause primary shuttle 
structure failure. 

K. Always-open cargo bay vents to space shall be provided on the shuttle 
which limit internal cargo bay pressures from upper stage vehicle 
leakage to the cargo bay allowable limits. 
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L. Capability shall be provided on the shuttle for automatic cargo bay 
venting when the always-open vents are inadequate, in order to increase 
the allowable flow from inside to outside and to protect against re- 
entry ingestion through always-open vents. 

M. Cargo bay doors shall be open at all times in earth orbit. 

N. All shuttle hardware contained in and near the shuttle cargo bay shall 

be capable of being functionally isolated from those components necessary 
for de-orbit, re-entry and landing so that an accident in the cargo bay 
shall not prevent shuttle abort. 

O. Vented gases from the shuttle cargo bay shall not be allowed to flow 
past the shuttle propellant tanks. 

P. Shuttle equipment and structure exposed to vented gases from the cargo 
bay shall be protected against the effects of corrosion and be capable 
of inspection on the ground. 

Q. Liquid propellants of retrieved upper stage vehicles shall be dumped 
to space before initiation of the shuttle orbiter deorbit maneuver. 

R. Upper stage vehicle propellant tank pressures shall be reduced to the 
minimum operating value before retrieval into the orbiter cargo bay. 

S. Cargo bay pressure and selected wall temperatures shall be monitored. 

T. Capability shall be provided in the shuttle cargo bay for the detection 
of leakage of specific fluids on board the upper stage vehicles. 

U. Orbiter crew control of upper stage vehicle shall be provided until 
separation from the orbiter precludes possibility of recontact. 

V. Cargo bay surface materials which may be exposed to leaking corrosive 
fluids from payload shall be constructed or protected against corrosion. 

W. The upper stage vehicle shall be extended and released outside of the 
cargo bay such that upper stage vehicle rotation about its center of 
gravity in any direction upon release, will not impact any part of the 
orbiter. 

X. Procedures shall be available for extra-vehicular inspection and release 
or re-attachment of partially released upper stage vehicles in orbit. 

Y. Toxic fluid containers shall be located in unpressurized volumes of 
pressurized payloads, or shall be double contained with the capability 
of dumping the fluid to space or off-loading to another double container, 
and of venting the space between the two containers to space. 
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Z. Double contained toxic fluid containers shall be provided with means to 
detect leakage of the toxic fluid into the space between the containers, 
and with means to detect penetration of the outside container. 


a. Means shall be provided for detecting a toxic environment in pressurized 
orbit payloads containing toxic or potentially toxic fluids. 

b. Emergency capability shall be provided to sustain personnel when in a 
manned payload, following detection of a toxic environment in the payload, 
until escape into the orbiter can be effected. 

c. Special protective garments and equipment shall be provided for personnel 
working in a toxic environment or near potentially toxic payload elements. 

d. Capability shal] be provided to purge or dump io space a toxically 
contaminated atmosphere in a pressurized orbiter navi cad. 

e. Capability shall be provided to purge or vent the orbiter airlock 
and tunnel to space following emergency egress of passengers from a 
toxic payload environment, or following IVA personnel entry for 
inspection and subsequent return to prevent the toxic encironment 
from contaminating the orbiter crew and passenger compartment. 

f. Means shall be provided to decontaminate personnel who have been exposed 
to a toxic environment in the payload which can be propagated to the 
orbiter before entering the orbiter crew and passenger compartments. 

g. Instrumentation of payloads shall be provided to assist in isolating 
cause and source of fire. 

h. Capability to release, eject, or extend the payload shall be provided so 
as to prevent damage to the orbiter at the expense of the payload. 

i. Capability shall be provided for the orbiter crew to vent and dump 
fl amma ble, or hazardous payload fluids to space within the time constraints 
imposed by an abort situation. This capability shall be available with 
the cargo bay doors open or closed. 

j. Capability shall be provided to switch off all electrical loads to payload 
from the orbiter. 

k. Thermal insulation shall be provided an orbiter cargo bay structure to 
minimize orbiter structure absorption of radiated heat from payJoid fire. 

l. Thermal insulation shall be provided between orbiter cargo bay/payioad 
attach points and other physical interfaces to minimize thermal con- 
duction to orbiter structure. 
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m. Fire ard heat resistant protection of orbiter to payload command end 
Instrumentation interfaces shall be provided. 

n. Ignition sources in the orbiter vay, such as switches and relays, shall 
be sealed or otherwise contained so as to prevent ignition of flammable 
fluids . 

o. Hazardous fluids or materials shall be double contained during handling 
and trasnfer In pressurized areas. Capability shallbe provided to 
verify the integrity of both containers before and after transfer. 

p. Capability shall be provided to vent the space between double containers 
for hazardous fluid handling to space and for dumping the fluid to space 
or off-loading to another container. 

q. Procedures shall be available for handling and transferring hazardous 
fluids or materials in a pressurized area from a singly penetrated 
double container to a storage container without releasing fluid or 
material to the spacecraft atmosphere. 

r. A lower pressure than the ambient atmosphere shall be maintained in 
containers of hazardous fluids or materials during handling ard 
transfer in pressurized areas. 

s. A separate volume with an Isolated environmental control shall be 
provided for testing and opening suspect hazardous fluid or material 
cargo containers. This volume shall have the capability to vent and 
dump the material to space and to be purged of hazardous fluid or 
material. 

t. Means shall be provided for detecting the presence of spilled hazardous 
fluids or materials while bfiing handled or transferred between pressurized 
modules . 

u. Manual handling and transfer of hazardous fluids or materials shall be 
carried out by two or more personnel who shall have no other duties 
during this operation. 

v. During handling and transfer of hazardous fluids or materials, no other 
manned operations shall be planned along the transfer path. 

w. Mutually reactive fluids shall not be handled or transferred simul- 
taneously. 

x. The pressures, temperatures, or other parameters which indicate the 
status of hazardous fluids or materials shall be verified befcre they 
are transported. 

y. Hand carried cargo shall be limited to 45 kg (100 lb) mass, provided 
the center of mass is within 35 cms (14 ins.) of the handhold. Cargo 
which exceeds these limits shall be transported with mechanical assist. 
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z. Cargo in which a rupture or leakage through the containers would result 
in uncontrolled motion of the cargo because of propulsive forces beyond 
a single man's capability to control or because toxicity requires 
immediate abandonment and evacuation of the area shall not be hand- 
carried . 


aa. Packaging of hand-carried cargo shall be provided with multiple hand 
holds, shall allow forward visibility by the controlling personnel, and 
shall be capable of surviving impact against a sharp object at 3 m/sec 
(10 ft/sec). 

bb. Provisions shall be made for rapidly securing hand-carried cargo to 

various structural points along the transfer path so as to prevent loss 
of control cf the cargo in the event of an emergency. 

cc. Emergency procedures shall be available for handling, containing, and 
disposing of spilled hazardous fluids or materials so as to safeguard 
the personnel, orbiter and payload, in that order. 

dd. Cargo handling mechanisms shall allow for stoppage of the motion, 
reversal of the motion, or release of the cargo at any point along 
the transfer path. 

ee. The transfer of cargo with mechanical assist shall either be visually 
monitored by personnel who are free of other duties, or shall be 
provided with sensing devices which automatically stop the motion if 
the cargo interfaces with structure or equipment. 

ff. Personnel will not be located during cargo transfer in positions which 
can result in their entrapment if the cargo mechanism fails. 

gg. Emergency procedures shall be available for the release, handling 

and transportation of remotely controlled cargo in the event of failure 
of the handling mechanism, or of damage to the packaging of the cargo. 

hh. Cargo handling mechanisms shall be designed to withstand the propulsive 
forces that would result from a leaking or ruptured fluid cargo. 
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REQUIREMENTS AND GUIDELINES APPEARING IN MORE THAN ONE HAZARD /EMERGENCY 
ANALYSIS . 


2. DOCKING 


A. The reaction jet control system shall provide redundancy to preclude 
"Jet stuck off" conditions. 

B. The rate command and rate/attitude feedback loops of the rotational 
control system shall provide redundancy to preclude "open loop" 
failures. 

C. Inhibit capability shall be provided to control the "jet stuck on" 
condition. 

D. Space Station modules which are used in the free flying docking mode 
shall be provided with redundant means for communication, guidance, 
control, power, propulsion, and other functions critical to the docking. 

E. The operational status of systems on Space Station modules which are 
used in the free flying docking mode, including redundant systems, 
shall be verified before the module is separated from the orb iter 

or station. 

F. Emergency procedures shall be available for the orb iter to pursue and, 
if possible, dock to a Space Station module used in the free flying 
module docking mode which has lost control. These procedures shall allow 
personnel escape or rescue within their life support capability. 

G. Pressure suits and back packs shall be provided for all personnel on- 
board Space Station modules used in the free flying module docking 
mode. These suits shall be suitable for emergency EVA escape to a 
nearby Space Station or orb iter. 

H. An airlock capability which allows all on-board personnel to perform 
EVA emergency escape shall be provided on-board Space Station. modules 
used in the free flying module docking mode. This may be provided by 
a separate 2-man airlock or may be an integral capability of the 
whole module. 

I. Emergency life support capability for all on-board personnel shall be 
provided on Space Station modules used in the free flying docking mode 
until emergency escape or rescue can be achieved. 
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REQUIREMENTS AND GUIDELINES APPEARING IN MORE THAN ONE HAZARD /EMERGENCY 
ANALYSIS . 


3. ON-BOARD SURVIVABILITY 


A. Capability shall be provided to reduce the pressure in each compartment 
sufficiently, or Increase it in the adjoining compartment (s) and to cut 
off air circulation, so that in an emergency the atmosphere in the 
affected compartment will not be propogated into adjoining compartments. 

This capability shall be controlled remotely from each compartment . 

B. Automatic venting capability shall be provided in each compartment so 
that in the event of a fire or release of gases within the compartment 
the pressure will not exceed the structural limits of the structure or 
the capability of seals to other compartments to exclude the contaminated 
atmosphere . 

C. Normally habitable compartments of more than 25 m^ (880 ft^) in volume 
shall have two or more exits into areas which provide for personnel 
survival. These exits shall be at least 3 m. (10 ft) apart. 

D. Flammable, explosive or gas generating material shall be located so that 
the energy content which can be propogated at any one location shall not 
result in overpressurization of the compartment from heat and gas 
production. 

E. Flammable explosive or gas generating material within 3 m (10 ft) of the 
entrance to compartments with only one entry/egress path shall be limited 
so that the energy content, if released, will not result in damage or 

an environment which prevents shirtsleeve access through the entrance. 

F. Capability shall be provided for the emergency shirtsleeve survival of 
all on-board personnel until the next resupply or emergency shuttle flight 
following the loss of access to any one module /compartment and the loss of 
equipment and supplies in that module /compartment. A shirtsleeve accessible 
docking port shall be available. If the loss of the module /compartment 
divides the station into two or more isolated habitable sections, then 

each sectin shall provide the survival capability for all on-board personnel, 
including an available docking port. 

G. EiL^rgency capability shall be provided on orbiter flights with a manned 
sortie module for the return to earth of all the passengers in the 
orbiter, without support from the sortie module. 

H. Emergency capability shall be provided on manned sortie modules for the 
return to earth of all the passengers in the sortie module, without 
life support from the orbiter. 

I. Orbiter equipment required for returning the orbiter to earth shall be 
capable of operative in depressurized environment. The controls 
for this equiptr^t sbalj b.» operable by crewmen in pressure suits. 
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J. A backup EVA egress /Ingress hatch which can be used for contingency 

EVA shall be available. Capability for depressurization and repressuri- 
zation of the connecting compartment /module shall be provided. 

K. On orbiter missions without attached manned sortie modules in which 
EVA is planned as part of the normal mission, pressure suits shall 
be carried for all on-board personnel. 


/ 
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HAZARD/EMERGENCY ANALYSIS 


Page 1 of 3 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


1 . 1.001 

7-27-71 


HAZARD/c MERGENCY 


SOURCE 


\ Explosion/rupture of a pressurized container in an upper stage vehicle inside or 
1 near orbiter. 


- 1. Shuttle fluids are liquid hydrogen, liquid oxygen, gaseous helium, JP fuel, Aerozine -50, 
i hydraulic fluid, water/glycol, nitrogen gas and nitrogen tetroxide. 

f* 

2. Upper stage -vehicles retain their current complement of pressurized containers. 

(Continued on Page 2.) 


j Damage to shuttle struct-*:, and equipment principally in cargo bay from: (1) Rupture of 
I pressurized containers into fragments, (2) Initiation of a pressure wave producing shock, 

| (3) Release of excessive fluid which increases cargo bay pressure beyond venting capability 
a and increases heat leaks into shuttle propellant tanks. 

J I REQUIREMENTS & GUIDELINES I I CODE | RGD REF. 


I l.A.Upper stage vehicle pressures shall be limited while in or near the 
shuttle such that the factors of safety are at least equa. to 
the shuttle -ank factors of safety. 

1 2. B. Gaseous content of upper stage vehicle tanks shall be small enough 
' so that rapid isentropic expansion into the shuttle cargo bay will 

I not result in overpressure. 

3. C. Tanks shall be designed so that failure due to overpressure will not 
produce shrapnel. 

\\ 

j 4. D. Relief capability shall be provided for the upper stage vehicle tanks 
j which automatically limit maximum pressure. Venting shall be to 

space or to a tank at lower pressure, and shall be arranged so that 
j mutually reactive fluids cannot mix and result in a fire or explosion 

. *.E,An external container of sufficient size and strength to contain 
all upper stage vehicle contents shall be provided. 

(Continued on Page 2.) 


IV- 4.2 

V- II-3.1 


X 1 G R IV-4.2 

V-II-3.1 


X 1 G R IV-4.2 

V-II-3.1 


RESOLVED HA ZARD 
' RESIDUA 


REC9MEN0ED (X) OR ROT (-) — 

NO. OF HRPS (1. 2, 3, 4) — 

REQUIREMENT (R) OR 6UIDO.INE «)■ 
PREVENTIVE (P) OR REMEDIAL (R) - 
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HAZARO/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE L OF 


NO. 

1.1.001 

DATE 

7-27-71 


HAZARD/EMERGENCY 

Ixplosion/rupture of a pressurized container in an upper stage vehicle inside or near 
orbiter. 

(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

ASSUMPTIONS (cont) 


2. (Continued) 


Agena 


Centaur 

X 


Transtage Burner II 


Helium Tarks X 

Nitrogen Tanks X 

Nitrogen Tetroxide Tanks 
Aerozene -50 Tanks 
Hydrogen Peroxide Tanks 
Liquid Oxygen Tanks 
Liquid Hydrogen Tanks 
Monomethyl Hydrazine Tanks 
Water/Glycol Tanks 
Unsymmetrical Dimethyl 

Hydrazine X 

Inhibited Red Fuming Nitric X 
Acid 

REQUIREMENTS & GUIDELINES (cont) 


6. F. Capability shall be provided to detect potential tank failures by 

measurement of fluid pressures, temperatures, tank strains, or 
other means. 

7. G. Capability shall be provided for the shuttle crew to vent and dump 

upper stage vehicle pressurized or hazardous fluids to space within 
the time constraints imposed by an abort situation. This capability 
shall be available with the cargo bay doors open or closed. 

8. H. Pressurizing gas on upper stage vehicles shall be turned off until 

immediately prior to release of the vehicle from the shuttle. 

1 9.1. Cargo bay thermal insulation shall be designed as a fragmentation 
blanket 

LOJ. Shuttle hardware required for abort shall be located remotely from 
the cargo bay, or protected against the potential effects of upper 
stage vehicle explosions which would not cause primary shuttle 
structure failure. 


CODE IRGD REF | 


X 3 R P 


X 2 R P 


IV- 3.3 

V- II-3. 


llV-3.2 

IV-II-3.: 


X 4 R P 

- 1GR 
I X 1 R R 


LV-3.1 


(Continued on Page 3.) 
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NALYS I S 


PAGE OF 


NO. 

1.1.001 

DATE 

7-27-71 

1 


HAZARD/EMERGENCY 

Explosion/rupture inside of a pressurized container in an u^per stage vehicle 
inside or near orbiter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

11. K. Always-open cargo bay vents to space shall be provided on the 

shuttle which limit internal cargo bay pressures from upper stage 
vehicle leakage to the cargo bay allowable limits. 

12. L. Capability shall be provided ru the shuttle for automatic cargo 

bay venting when the always-open vents are inadequate, in order to 
| increase the allowable flow from inside to outside and to protect 

i against re-entry ingestion through always-open vents. 

i 

1 13. M. Cargo bay doors shall be open at all times in earth orbit. 

14. N. All shuttle hardware contained in and near the shuttle cargo bay 
shall be capable of being functionally isolated from those com- 
ponents necessary for de-orbit, re-entry and landing so that an 
accident in the cargo bay shall not prevent shuttle abort. 

15.0. Vented gases from the shuttle cargo bay shall not be allowed to 
flow past the shuttle propellant tanks. 

16. P. Shuttle equipment and structure exposed to vented gases from the 

cargo bay shall be protected against the effects of corrosion and 
be capable of inspection on the ground. 

17. Q. All upper stage vehicle liquid propellants shall be dumped to 

space before retrieval of the vehicle into the orbiter cargo bay. 

jl8.R. Upper stage vehicle propellant tank pressures shall be reduced to 
! . the minimum operating value before retrieval into the orbiter 
j cargo bay. 


CODE 
X 1 R 


X 4 G 
X 1 R 


IV-3.1 


X 1 'G Hi IV-3.1 


IV-3.4 

IV-3.1 


|X 1 R b IV-3.1 

V-II-4.1 

IX 2 R R IV-3.2 


X 4 R P IV-3.4 

V-II-3.4 

X 4 R P IV-3.4 

V-II-3.4 
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HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


Page * of 3 


1 . 1.002 

8-5-71 


HAZARD/EMERGENCY 


SOURCE II-2.1.2 


Combination of mutually reactive upper stage vehicle fluids leading to explosion or 
fire inside or near orbiter. 


1. Shuttle fluids are liquid hydrogen, liquid oxygen, gaseous helium, JP fuel, Aerozine -50, 
hydraulic fluid, water/glycol, nitrogen gas and nitrogen tetroxide. 

2. Upper stage vehicles retain their current complement of propellants. 

(Continued on Page 2.) 


ENTIAL EFFECTS 


Damage to shuttle structure and equipment principally in cargo bay from: 1) Iniation of 
a pressure wave producing shock; and 2) Heat input from radiation, circulation, and 
conduction of products of combustion. 


REQUIREMENTS & GUIDELINES 



CODE 


l.A Upper stage vehicle pressures shall be limited while in or near the X 1 G P 
shuttle such that the factors of safety are at least equal to 
the shuttle tank factors of safety. 


2. B. Gaseous content of upper stage vehicle tanks shall be small enough 
so that rapid isentropic expansion into the shuttle cargo bay will 
not result in overpressure. 


X 1 G R 


3. D. Relief capability shall be provided for the upper stage vehicle tanks X 2 R P 

which automatically limit maximum pressure. Venting shall be to 
space or to a tank at lower pressure, and shall be arranged so that 
mutually reactive fluids cannot mix and result in a fire or explosion. 

4. E.An external container of sufficient size ard strength to contain - 2 G R 

all upper stage vehicle contents shall be provided. 

5 . F. Capability shall be provided to detect potential tank failures by X 3 R P 

measurement of fluid pressures, temperatures, tank strains, or 
other means. 

(Continued on Page 2.) 


RECOMMENDED (X) OR ROT (-) 


BFSOLVED HAZARD 


RESIDUAL HAZARD jx 
1 .•'-88-3138 











hazard/emergency ANALYS I s 
(CONT IN UED) 


PAGE 2 OF 3 


NO. 

1.1.002 

DATE 

i 

8-5-71 


HAZARD/EMERGENCY 

Combination of mutually reactive upper stage vehicle fluids in explosion or 
fire inside or near orbiter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
ASSUMPTIONS (cont) 


2. (Continued) 


Nitrogen Tetroxids 
Aerozene -50 
Hydrogen Peroxide 
Liquid Oxygen 
Liquid Hydrogen 
Monomethyl Hydrazine 
Water /Glycol 

Unsymmetrical Dimethyl Hydrazine 
Inhibited Red Fuming Nitric Acid 

REQUIREMENTS & GUIDELINES (cont) 


Agena Centaur Trans tage Burner II 


QOS /Tug 


j 8.1. Cargo bay thermal insulation shall be designed as a fragmentation 
blanket. 

t 

l 

t 9. J. Shuttle hardware required for abort shall be located remotely from 
the cargo bay, or protected against the potential effects of upper 
stage vehicle explosions which would not cause primary shuttle 
structure failure. 

10.K. Always-open cargo bay vents to space shall be provided on the 

shuttle which limit internal cargo bay pressures from upper stage 
vehicle leakage to the cargo bay allowable limits. 


CODE 
X 2 R 


6. G. Capability shall be provided for the shuttle crew to vent and dump X 2 R 

upper stage vehicle pressurized or hazardous fluids to space within 
the time constraints imposed by an abort situation. This capability 
shall be available with the cargo bay doors open or closed. 

7. H. Pressurizing gas on upper stage vehicles shall be turned off until X 4 R 

immediately prior to release of the vehicle from the shuttle. 


RGD REF 

P IV-3.2 
V-II-3.: 


P IV-3.4 
V-II-3. 4 


- 1 G 


X 1 R R IV-3.1 


X 1 R R IV-3.1 


(Continued on Page 3.) 
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HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 3 OF 3 


NO. 

1.1.002 

DATE 

8-5-71 


HAZARD/EMERGENCY 

Combination of mutually reactive upper stage vehicle fluids in explosion or 
fire inside or near orbiter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

11. L. Capability shall be provided on the shuttle for automatic cargo 

bay venting when the always-open vents are inadequate, in order to 
increase the allowable flow from inside to outside and to project 
against re-entry ingestion through always-open vents. 

12 . m. Cargo bay doors shall be open at all times in earth orbit. 

13 . N. All shuttle hardware contained in and near the shuttle cargo bay 

shall be capable of being functionally isolated from those con- 
ponents necessary for de-orbit, re-entry and landing so that an 
accident in the cargo bay shall not prevent shuttle abort. 

14.0. Vented ases from the shuttle cargo bay shall not be allowed to 
flow pc.st the shuttle propellant tanks. 

15. P. Shuttle equipment and structure exposed to vented gases from the 
cargo bay shall be protected against the effects of corrosion and 
be capable of inspection on the ground. 

16. S. Cargo bay pressure and selected wall temperatures shall be 
monitored. 


X 1 G R IV-3.1 


|X 4 G R,IV-3.4 
I X T R r; IV-3.1 


X 1 R R IV-3.1 
V-II-4. 

X 2 R RIV-3.2 


X 3 G R IV-3.3 


17. T. Capability shall be provided in the shuttle cargo bay for the 

detection of leakage of specific fluids on board the upper stage 
vehicles. 


- 1 R F 


18. Q. Liquid propellants of retrieved upper stage vehicles shall be dumped X 4 R P IV-3.4 

to space before initiation of the shuttle orbiter deorbit maneuver. V-II-3, 

19. R. Upper stage vehicle propellant tank pressures shall be reduced to X 4 R P IV-3.4 

the minimum operating value before retrieval into the orbiter V-II-3, 

cargo bay. 
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HAZARD/EMERGENCY ANALYS I S 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


Page 1 of ^ 


1.1.003 

8-5-71 


HAZARD/EMERGENCY 


SOURCE 


Inadvertent detonation of explosive charge on upper stage vehicle inside or near 
orbiter. 




1. Upper stage vehicles retain their current complement of pyrotechnics: 
(Continued on Page 2.) 



Damage to i 
of the expi 
waves Into 
bay. 


REQUIREMENTS & GUIDELINES 


huttle structure an 
e charge and shatte 
surroundings , and (1 


nt principal 
he housing s 
eparation of 


in the cargo bay from (a) detonat 
ing 1) shrapnel and 2) pressure 
e uDper stage vehicle in the carg 


Housings of explosive charges shall be designed to prevent damage to 
equipment required for shuttle abort in the event of inadvertent 
detonation. 


CODE RGD REF. 


X 1 R P IV-4.2 

V-II-3.1 


2. All powder filled volumes shall be designed to allow verification of 
content by neutron ray inspection before flight. 

3. Destruct charges shall not be incorporated in upper stage vehicles 
when launched in the shuttle. 

4.1. Cargo bay thermal insulation shall be designed as a fragmentation 
blanket 


- 1 c P 


X 1 R P IV-4.2 

V-II-3.1 

- 1 G R 




5 .J. Shuttle hardware required for abort shall be located remotely from 
the cargo bay, or protected against the potential effects of upper 
stage vehicle explosions which would not cause primary shuttle 
structure failure. 


X 1 R R IV-3.1 


$ (Continued on Page 2.) 



RESOLVED HAZARD 


RESIDUAL H 


h.-jifri-SlkLi 


RECOMMENDED (X) OR NOT (-) 
NO. OF HRPS 1, 2, 3, 4) 


nvi vr nnr* tie t/ ™ 

REQUIREMENT (R) OR GUIDELINE (6)- 
PREVENTIVE (P) OR REMEDIAL (R) - 


X X X X 



















i* 

j hazard Emergency 

{inadvertent detonation of explosive charge on upper stage vehicle inside or near orbiter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
ASSUMPTIONS (cont) 

1. (Continued) 


Agena Centaur Trans tage Burner II CSM QOS /Tug 


j Connections Between Modules - 
{ Cutters. 

! Helium Valves. 

Solid Propellant Igniters. 
Turbine Start Solid Pro- 
pellant Charges. 

Explosive Bolts - Payload 
Separation. 

Linear Shaped Charge - Panel 
Separation. 

j Destruct Shaped Charges. 
External Extensions - 
Antennae. 


X 

X 

X X 

X X 

y x 


x 


X 


X 


X 

X 


X 


X 

X X 

X 

X X 

X 


REQUIREMENTS & GUIDELINES (cont) 

CODE 

RGD REE 

6.N.A11 shuttle hardware contained in and near the shuttle cargo bay 
shall be capable of being functionally isolated from those com- 
ponents necessary for de-orbit, re-entry and landing so that an 
accident in the cargo bay shall not prevent shuttle abort. 

X 1 R R 

' 

IV-3.1 

7. The amount of charge in each housing shall be below 0.1 lb TNT 
l equivalent. 

- 1 G P 

- 

j 

j 8 . Interlocks, redundancy grounding and isolation devices shall be 
1 provided on explosive charges so that no single detectable 

! failure or combination of undetectable failures shall result 

j in premature detonation. 

X 2 R P 

| 

IV-3.2 

i 

i 

1 


I 








HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

X 

SORTIE 

X 

STATION 



Page 1 of 3 

1.1.004 
~ 8-5-71 


HAZARD/EMERGENCY 


SOURCE J II-2.1.2 


Rapid decomposiCion of monopropellants located in or leaking from the upper stage 
vehicle while inside or nearorbiter. 


Aerozene -50 
Monomethyl Hydrazine 
Hydrogen Peroxide 
Solid Propellant 
Unsymmetrical Dymethyl 
Hydrazine 


Agena Centaur 


Trans t age 
X 


Burner II SM OOS/Tus 


[ potential ejects | 

Damage to shuttle structure and equipment, principally in the cargo bay from: 1) shrapnel, 
2) pressure wave and 3) heat. 


I REQUIREMENTS A GUIDELINES I 

1. Upper stage vehicle monopropellant temperatures and pressures shall 
be monitored. 

2. Crew procedures for monopropellant dump shall be provided in case of 

rapid rise in pressure or temperature. 

3. Cleanliness of the monopropellant and all materials in normal 
contact with the fluid shall be controlled so that spontaneous de- 
composition in normal and emergency environments is not possible. 

4. Catalyst materials shall not be placed in the cargo bay where they 
may come into contact with monopropellants from a leaking or ruptured 
line or tank. 

5. B. Gaseous content of upper stage vehicle tanks shall be small enough 

so that rapid isentropic expansion into the shuttle cargo bay will 
not result in overpressure. 

6. D. Relief capability shall be provided for the upper stage vehicle tanks 

which automatically limit maximum pressure. Venting shall be to 
space or to a tank at lower pressure, and shall be arranged so that 
mutually reactive flui .a cannot mix and result in a fire or explosion. 

(Continued cn Page 2.) 

RECQMEHDlu (X) OR NOT (- ) ... 


CODE 

RGD REF. 

X 3 R R 

IV-3.3 


V-II-3.3 

X 4 R R 

IV-3.4 


V-II-3.4 

X 4 R P 

V-II-3.4 

- 1 G P 



X 1G R ttV-4.2 

N-II-3.1 


X 2 R P iy-4.2 

lV-II-3.2 


X X X X 


NO. OF HNFS 1. 2. 3, ♦) — 
REQUIREMENT (A) OR OUIDELXNE («)• 
PREVENTIVE (P) OR REMEDIAL (A) - 
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HAZARD/EMERGENCY ANALYSIS 

(CONT INUED) page 2 of 3 


NO. 

1.1.004 

DATE 

8-5-71 


HAZARD/EMERGENCY 

Rapid decomposition of monopropellants located in or leaking from the upper stage 
vehicle while inside or near orbiter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

| 7. C. Tanks shall be designed so that failure due to overpressure will not 
j produce shrapnel. 

I 

8. F. Capability shall be provided to detect potential tank failures by 
> measurement of fluid pressures, temperatures, tank strains, or 

other means . 

9. G. Capability shall be provided for the shuttle crew to vent and dump 

upper stage vehicle pressurized or hazardous fluids to space within 
the time constraints imposed by an abort situation. This capability 
shall be available with the cargo bay dcors open or closed. 

10, I. Cargo bay thermal insulation shall be designed as a fragmentation 
blanket. 

IImJ. Shuttle hardware required for abort shall be located remotely from 
the cargo bay, or protected against the potential effects of upper 
stage vehicle explosions which would not cause primary shuttle 
structure failure. 

1 2. K. Always -open cargo bay vents to space shall be provided on the 

shuttle which limit internal cargo bay pressures from upper stage 
| vehicle leakage to the cargo bay allowable limits. 

13. L. Capability shall be provided on the shuttle for automatic cargo 

bay venting when the always-open vents are Inadequate, in order to 
i Increase the allowable flow from inside to outside and to protect 
| against re-entry ingestion through always-open vents. 

|l4.M.Cargo bay doors shall be open at all times in earth orbit. 

!l5.N.All shuttle hardware contained in and near the shuttle cargo bay 
shall be capable of being functionally isolated from those com- 
ponents necessary for de-orbit, re-entry and landing so that an 
accident in the cargo bay shall not prevent shuttle abort. 

lo.O.Vented gases from the shuttle cargo bay shall not be allowed to 
I flow past the shuttle propellant tanks. 


CODE 

RGD REF 

X 1G R 

IV-4.2 


V-II-3.tL 

X 3 R P 

IV-3.3 


V-II-3. 3 

X 2 R P 

IV-3.2 


V-II-3 . > 

- 1 G R 

* 

- 

X 1 R R 

IV-3.1 

X 1 R R 

IV-3.1 

X 1 6 R 

IV-3.1 

1 

i 

1 

X 4 G R 

1 

1 

IV-3.4 ' 

X 1 R R 

IV-3.1 

! 

v-ii-4.:. 

X 1 R R 

IV-3.1 


v-ii-4.: 


1 

I 


(Continued on Page 3.) 
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HAZARD/EMERGENCY ANALYSIS 

(CONT IN UED) page 3 of 3 


NO. 

1.1.004 

DATE 

8-5-71 


HAZARD/EMERGENCY 

Rapid decomposition of monopropellants located in or leaking from the upper stage 
vehicle while Inside or uearorbiter. 

! 

Tlist additional content in the ordfr OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

1 7. P -Shuttle equipment and structure exposed to vented gases from the 
cargo bay shall be protected against the effects of corrosion and 
be capable of inspection on the ground. 

| 18.Q.Liquid propellants of retrieved upper stage vehicles shall be dumped 
j to space before initiation of the shuttle orbiter deorbit maneuver. 


i 


i 

i 


i i . 


CODE 


faGD REF 


X 2 R RJ 


IV-3.2 


X 4 R PttV-3.4 

N-II-3.4 
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HAZARD/EMFRGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


Page 1 of 2 


1.1.005 
8-9-7 1 


HAZARD/EMERGENCY 


SOURCE 111-2.1.2 


Uncontrolled combustion In active upper stage vehicle reaction control engines while 
near the orb iter. 




1. RCS propellants remain the same on upper stage vehicles, 


Tran»tage 


Aerozene -50 + Nitrogen Tetroxide 
Monomethyl Hydrazine + Nitrogen Tetroxide 
Hydrogen Gas + Oxygen Gas 

(Continued on Page 2.) 


QOS /Tug 


Damage to shuttle structure and equipment, principally in the cargo bay from explosion 'f 
the engine sending, 1) shrapnel, 2) pressure waves , and 3) heat into shuttle equipment, 
and from uncontrolled upper stage vehicle motion. 


REQUIREMENTS & GUIDELINES 


CODE | RGD REF. 


1. Cold gas jets or control moment gyros for upper stage vehicles shall - 1 
be used when operating near the orb iter. 

2. The upper stage vehicle shall use jets on the opposite side from the - A 
orbiter for maneuvers near the orb iter. 

3. Capability shall be provided to detect combustion instability during - 3 
firing. 

4. U Orbiter crew control of upper stage vehicle shall be provided until X A 

separation from the orbiter precludes possibility of recontact. 

5. Orbiter orientation shall point the longitudinal axis toward the X A 

separated upper stage vehicle until a safe cepcration distance has 

b*en achieved. 


IV- 3 .A 

V- II-3.A 

IV- 3. A 

V- II-A.l 


RESOLVED HAZARD 
RESIDUAL HASaIIT 


RECOffENOED (X) OR NOT (- 
NO. OF HRPS 1. 2, 3, A ) 
REQUIREMENT (A) OR 6UIDELI! 
PREVENTIVE (P) OR REMEDIAL 


X) OR NOT (-) — 

1. 2, 3, A ) — 

R) OR SIDELINE (8)« 
) OR REMEDIAL (R - 












HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 2 OF 2 


NO. 

1.1.005 


DATE 

8-9-71 






j HAZARD/EMERGENCY 

Uncontrolled combustion In active upper stage vehicle reaction control engines while 
near the orbiter. 

t 

I 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

' ASSUMPTIONS (cont) 

2. The upper stage vehicle reaction control system is activated immediately upon 
separation from the orbiter. 

3. Main engine burn will occur on the upper stage vehicle at a large, safe, 
separation distance from the orbiter. 








Leakage of corrosive fluids from upper stage vehicle tanks while inside the orb iter 


lEKWHiaiMS 


1. Upper stage vehicles retain current complement of corrosive fluids: 

Agena Centaur Trans tage Burner SM OQS/Tug 


Nitrogen Tetroxide 
Hydrogen Peroxide 
Liquid Oxygen 
Inhibited Red Fuming 
Nitric Acid 


I POTENTIAL EFFECTS 


Damage to orbiter structure and equipment principally in the cargo bay from corrosion 
of orbiter components as a result of leakage of corrosive fluids. 


REQUIREMENTS 


GUIDELINES 


1. A Upper stage vehicle pressures shall be limited while in or near the 

orbiter such that the factors of safety are at least equal to 
the orbiter tank factors of safety. 

2. B Gaseous content of upper stage vehicle tanks shall be small enough 

so that rapid isentropic expansion into the orbiter cargo bay will 
not result in overpressure. 

3. E An external container of sufficient size and strength to contain 

all upper stage vehicle contents shall be provided. 

4. F Capability shall be provided to detect potential tank failures by 

measurement of fluid pressures, temperatures, tank strains, or 
other means. 


CODE RGD REF. 


1 G P IV-4.2 

V-II-3.1 


X 1 G R 


- 2 G R 


IV- 4.2 

V- TI-3.1 


3 R P IV-3.3 
V-II-3.3 


5.G Capability shall be provided for the orbiter crew to vent and dump 
upper stage vehicle pressurized or hazardous fluids to space within 
the time constraints imposed by an abort situation. This capability 
shall be available with the cargo bay doors open or closed. 

(Continued on Page 2.) 


2 R P IV-3.2 

V-II-3.2 


XXX 


RESOLVED HAZARD 
RESIDUAL HAlAift 'TT 


RECOMMENDED (X) OR NOT ( -) — 

NO. OF HRFS 1. 2, 3, 4, ) — 

REQUIREMENT (R) OR SIDELINE («)• 
PREVENTIVE (P) OR REMEDIAL (R) - 
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HAZARD/EMERGENCY ANALYSIS 
(CONT IN UED) 


PAGE 2 OF 3 


NO. 

1.1.006 

DATE 

8-9-71 


! HAZARD/EMERGENCY 

Leakage of corrosive fluids from upper stage vehicle tanks while inside the orb iter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

6. H Pressurizing gas on upper stage vehicles shall be turned off until 

immediately prior to release of the vehicle from the orb iter. 

7. D Relief capability shall be provided for the upper stage vehicle tanks 

which automatically limit maximum pressure. Venting shall be to 
space or to a tank at lower pressure, and shall be arranged so that 
mutually reactive fluids cannot mix and result in a fire or explosion 

8. K Always-open cargo bay vents to space shall be provided on the 

shuttle which limit internal cargo bay pressures from upper stage 
vehicle leakage to the cargo bay allowable limits. 

9. L Capability shall be provided on the orbiter for automatic cargo 

bay venting when the always-open vents are inadequate, in order to 
increase the allowable flow from inside to outside and to protect 
against re-entry ingestion through always-open vents. 

10 . M Cargo bay doors shall be open at all times in earth orbit. 

11. N All orbiter hardware contained in and near the shuttle cargo bay 
shall be capable of being functionally isolated from those com- 
ponents necessary for de-orbit, re-entry and landing so that an 
accident in the cargo bay shall not prevent orbiter abort. 

|l2.0 Vented gases from the shuttle cargo bay shall not be allowed to 
flow past the orbiter propellant tanks. 

|L3.P Orbiter equipment and structure exposed to vented gases from the 
cargo bay shall be protected against the effects of corrosion and 
be capable of inspection on the ground. 

(L4.S Cargo bay pressure and selected wall temperatures shall be 
monitored. 

|L5.T Capability shall be provided in the orbiter cargo bay for the 

detection of leakage of specific fluids on board the upper stage 
vehicles. 

j.6.V Cargo bay surface materials which may be exposed to leaking 

corrosive fluids from payload shall be constructed or protected 
against corrosion. 

(Continued on Page 3.) 


CODE 

RGD REF. 

X 4 Rp 

1V-3.4 


V-II-3.4 

X 2 R p 

1V-4.2 


V-II-3.2 

X 1 R R 

IV-3.1 

X 1 G R 

IV-3.1 

X 4 G R 

IV-3.4 

X 1 R R 

IV-3.1 

X 1 R R 

IV-3.1 


V-II-4.1 

X 2 R R 

IV-3.2 

X 3 G R 

IV-3.3 

- 1 R P 

— 

X 1 G R 

IV-3.1 


TTJ'-v»- H JT 
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HAZARD/EMERGENCY ANALYSIS 
(CONT IN UED) 


PAGE 


OF 


NO. 

1.1.006 

DATE 

8-9-71 


i HAZARD 'EMERGENCY 

! 

Leakage of corrosive fluids from upper stage vehicle tanks while inside the orb iter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cent) CODE 

17. J Orbiter hardware required for abort shall be located remotely from X 1 R R 

the cargo bay, or protected against the potential effects of upper 
stage vehicle explosions which would not cause primary orbiter 
structure failure. 

18 . Q Liquid propellants of retrieved upper stage vehicles shall be dumped 4 R P 

to space before initiation of the shuttle orbiter deorbit maneuver. 


19. R Upper stage vehicle propellant tank pressures shall be reduced to 
the minimum operating value before retrieval into the orbiter 
cargo bay. 


X 4 R P 


RGD REF. 


IV-3.1 


IV- 3.4 

V- II-3.4 

IV- 3.4 

V- II-3.4 


it ".- ' T I T f 
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HAZARD/EMERGENCY ANALYSIS 


Page 1 o f 2 


PROGRAM 


SHUTTLE 

X 

SORTIE 

X 

STATION 



NO. 

1.1.007 

DATE 

8-10-71 


HAZARD/tMERGENCY f 


I SOURCE I II-2.1.2 


Inadvertent start of an upper stage vehicle main or reaction control rocket engine while 
inside orb iter cargo bay. 


mumi&Nr 


1. Upper stage vehicle retains the current complement oi .ocket engines. 

Number of Engines 

Type of Engine Agena Centaur Trans t age Burner II SM QOS /Tug 


2 

8 


2 

12 


1 

4 


1 

16 


1-4 

20 


Main Engine 
RCS Engine 

Inadvertent firing of an upper stage vehicle main propulsion engine while in the 
cargo bay will be catastrophic to the orb iter. 

I'PGTenTiaL" effects' 


2 . 


Damage to orbiter equipment in the cargo bay from 1) over-heating by direct heating from 
the exhaust plume, 2) over-pressure from the products of combustion, 3) changing the 
insulating properties of the space between shuttle tanks, and 4) impulse, rotation and 
translation, leading to structural and equipment damage. 

guidelines! " ' 


CODE 

RGD REF. 

1KP 

IV-4 . 2 
v-n-3.1 

1 R P 

IV- 4.2 

V- II-3.1 

2 R P 

IV- 3.2 

V- II-32. 

4 RP 

IV- 3.2 

V- II-3.2 

1 R R 

IV-3,1 

XXX 



1 . 


REQUIREMENTS A 

Propellant shut-off valves upstream from all start valves shall be 
provided so that inadvertent main valve opening would not start 
engines on upper stage vehicles while in or near the orbiter. 

2. The design of the upper stage vehicle control system shall only allow 
supply of electrical energy to the start valves of the rocket engines 
following positive action by the orb iter crew during upper stage 
vehicle count-down in orbit. 

3. G Capability shall be provided for the orbiter crew to vent and dump 

upper"' stage vehicle pressurized or hazardous fluids to space within 
the time constraints imposed by an abort situation. This capability 
shall be available with the cargo bay doors open or closed. 

4. H Pressurizing gas on upper stage vehicles shall be turned off until 

immediately prior to release of the vehicle from the orbiter. 

5. Always-open cargo bay vents to space shall be provided on the 
orbiter which limit internal cargo bay pressures from the combustion 
products of a single. upper stage vehicle reaction control rocket 
engine to the cargo bay allowable limits. 

(Continued on Page 2.) 

RECOMMENDED (X) OR NOT ( - ) - — — 

NO. OF HRPS (1. 2, 3, < ) 

REQUIREMENT (R) OR OUIMELIN 
PREVENTIVE (P) OR REMEDIAL 


1 RESOLVED HAZARD 
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HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 2 OF 2 


NO. 

1.1.007 

DATE ; 

8-10-71 

' 


i HAZARD/EMERGENCY 

I 

| Inadvertent start of an upper stage vehicle main or reaction control rocket engine 
| while inside orbiter cargo bay. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
i REQUIREMENTS & GUIDELINES (cont) CODE 

| 6.L Capability shall be provided on the orb ter for automatic cargo X 1 G 

bay venting when the always-open vents are inadequate, in order to 
increase the allowable flow from inside to outside and to protect 
j against re-entry ingestion through always-open vents. 

| 7.M Cargo bay doors shall be open at all times in earth orbit. X 4 G 

, 8.N All orbiter hardware contained in and near the orbiter cargo bay X 1 R 

j shall be capable of being functionally isolated from those com- 
ponents necessary for de-orbit, re-entry and landing so that an 
accident in the cargo bay shall not prevent orbiter abort. 

9.0 Vented gases from the orbiter cargo bay shall not be allowed to X 1 R 

flow past the orbiter propellant tanks. 

10 . P Orbiter equipment and structure exposed to vented gases from the X 2 R 

cargo bay shall be protected against the effects of corrosion and 
be capable of inspection on the ground. 

11. Insulation patches shall be provided on the cargo bay walls - 2 G 

opposite all payload reaction control engines which will protect 

the walls from the combustion products. 

12. u Orbiter crew control of upper stage vehicle shall be provided until x 4 R 

separation from the orbiter precludes possibility of recontact. 

13. Q Liquid propellants of retrieved upper stage vehicles shall be dumped x 4 R 
j to space before initiation of the shuttle orbiter deorbit maneuver. 


CODE RGD REF . 


X 1 G R IV-3.1 


X 4 G R IV-3.4 
X 1 R R IV-3.1 


X 1 R 


R IV-3.1 
V-II-4.1 


X2RR IV -3’2 


- 2 G R — 


R IV-3.4 
V-II-4.1 

P IV-3.4 
V-II-3.4 
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HAZARD/EMERGENCY ANALYSIS 

Page 1 of 2 


PROGRAM 

SHUTTLE 

X 

SORTIE 

X 

STATION 



• 

O 

z 

1.1.008 

DATE 

8-12-71 


HAZARD/EMERGENCY | 


SOURCE ln-2.1.2 


Inadvertent separation of ar. upper stage vehicle attach point while in the orb iter. 



“ TgClftfflgEg — | 

The upper stage vehicles are supported in the orb iter cargo bay at a discrete number 
of attachment points. 


TTOENfiAr '"flTCTTl — 

1. Damage to the orb iter structure and equipment, particularly in the cargo bay, from 
collision with loose upper stage vehicle equipment or payload. 


2. Inability to re-enter and land orb iter if payload remains loose in cargo bay. 


REQUIREMENTS l GUIDELINES 1 


CODE 


RGD REF. 


1 . 


The factors of safety for the upper stage vehicle and orb iter attach- 
ment point shall be at least equal to . the normal orb iter 
structure factors of safety. 


X 1 G P 


IV- 3.1 

V- I 1-3.1 


2. The upper stage vehicle shall be supported in the orbiter so that 
failure of any one structural support member will not jeopardize 
support of the upper stage vehicle during return to earth. 


X 1 R P 


IV- 3.1 

V- II-3.1 


3. The design of the upper stage vehicle control system shall only 
allow supply of electrical energy to the separation mechanism 
following positive action by the orbiter crew during upper stage 
vehicle count-down in orbit. 


K 1 R P 


IV- 4.2 

V- II-3.1 


4. The internal surface of the cargo bay shall be coated with a shock 
absorbent blanket. 


- 1 G R 


'. A restraint system shall be provided for the upper stage vehicles 
in the orbiter cargo bay which prevents contact of the vehicle with 
orbiter structure or equipment in the event of partial or total 
release of the attachment points. 


K2RF 


IV- 3.2 

V- II-3.2 


Continued on Page 2.) 


SOLVED HAZARD 
tESIDUAL HAZARD 

H8-5I5 1 


T 


RECOMENOED (X) OR NOT (- ) — 

NO. Of HRPS h 2. 3, 4, ) — 

REQUIREMENT (R) OR 8UZDELINE 0)- 
PREVENTIVE (P) OR REMEDIAL (R) - 


X X X X 
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HAZARD/EMERGENCY ANALYSIS 

(CONTINUED) page 2 of 2 



i 

i 

i 



HAZARD 'EMERGENCY 

Inadvertent separation of an upper stage vehicle attach point while In the orhlter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

i 

, REQUIREMENTS & GUIDELINES (cont) CODE 

I 6. Procedures shall be available to apply unidirectional translational X 4 R R 
or rotational acceleration to the orb iter in the event of a partial 
or total release of the payload in the cargo bay until loose parts 
' and the payload have settled sufficiently to allow further corrective 
action. 

7. Procedures shall be available for backing off the orb iter from an X A R R 
upper stage vehicle inadvertently separated in the orbiter cargo 
I bay without contact of the upper stage vehicle with orbiter struct- 
ure or equipment while in orbit. 

i 8. Procedures shall be available for extra-vehicular inspection and X 4 R R 

release or re-attachment of partially released upper stage vehicles 
in orbit. 

9. Means shall be provided to indicate to the orbiter crew that a X 3 R P 

retrieved upper stage vehicle is positively secured at all attach 
| points prior to deorbit and reentry. 


i 


1 

I 
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HAZARD/EMERGENCY 


Loss of attitude/ translation control of upper stage vehicle upon release from orbiter. 


RWUXliilWM 


1. Upper stage vehicle has attitude hold and/or translation capabilities. 


Translation - Main Engine 

- RCS 

- Auxiliary 

Attitude Hold - RCS Couples 
- Off-Center 

* ( ) Number of directions 


Agena Centaur Transtage Burner II SM QOS /Tug 


X(l)* X(l) 
X X(l) 


X(l) 

X(l) 


X(l) X(l) X(l) 

X(2) X(6) X(6) 


XX X 

(Continued on Page 2.) 


1. Damage to shuttle structure and equipment on cargo bay doors and near external skin 
from collision with the out-of-control upper stage vehicl** or payload. 

2. Catastrophic damage to upper stage vehicle leading to explosion and orbiter structural 

failure. 


| CODE I ROD REF. 


REQUIREMENTS & GUIDELINES 


1. Attitude control couples in all six rotational modes shall be provided }K 1 G P 
on upper stage vehicles. I 


2. The planned attitudes of the upper stage vehicle during release and 
separation from the orbiter shall be such that the attitude control 
engines at no time accelerate the vehicle towards the orbiter. 

3. All attitude control engines and electronics shall be redundant on 
upper stage vehicles. 


4 G R 


1 R P 


4. The cargo bay doors shall be opened sufficiently so that they cannot -ICR 
be struck by the released upper stage vehicle under any rotation 

about its center of gravity. 

5. W.The upper stage vehicle shall be extended and released outside of the X 1 R R 

cargo bay such that upper stage vehicle rotation about its center of 
gravity in any direction upon release, will not Impact any part of 
the orbiter. 

6. All venting of the upper stage vehicle*. while near the orbiter shall X 1 R P 
be non-propulsive or shall translate the vehicle jway _rom the orbiter. i 


(Continued on Page 2.) 




RESIDUAL 


XXX 


RECOMtENOEO (X) OR NOT ( -) — 
NO* OFMPS (1. 2. 3. 4 s — 
REQUIREMENT Jr) OR 6UI0ELINE (•)• 
PREVENTIVE (P OR REMEDIAL (R) - 
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HAZARD/ EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 2 OF 3 


NO. 

1.1.009 

DATE 

8-12-71 


HAZARD EMERGENCY 

Loss of attitude/translation control of upper stage vehicle upon release from orblter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

ASSUMPTIONS (cont) 

2. Source of stability remains the same as current vehicles. 

Agena Centaur Trans tage Burner II SM QOS /Tup 

Gyro Reference XX X X 

Accelerometers X X 

Computer/Flight Control XX X X 


3. The capability of the orblter to accelerate during upper stage deployment is less 
than that of the upper stage vehicle. 


1 REQUIREMENTS & GUIDELINES (cont) C 

; 7. No torques shall be imparted to the upper stage vehicle by the ,X 

i separation mechanism. 

i 8. Orblter shall be moved away from upper stage vehicle immediately X 

j on release. 

j°. Upper stage vehicle attitude and translation shall be monitored X 

j by the orbiter crew immediately following release. 

JlO. Upper stage vehicle attitude shall be controlled by command of X 

j the orbiter crew immediately following release. 

11. Internal attitude control signal of the upper stage vehicle shall X 

j be monitored for accuracy by the orbiter crew before release. 

|l2. Upper stage vehicle shall be switched from command control to X 

' Internal attitude control after orbiter has been sufficiently 

moved that no attitude change could result in collision. 

13. Upper stage vehicle shall be switched from command control by the X 
orbiter crew to internal translation control when sufficient time 
is available for the orbiter crew to execute evasive maneuvers, 
following any main propulsion or guidance failure. 

L4. Upper orbiter surfaces capable of being struck by the released 

upper stage vehicle during any attitude maneuver shall be strength- 
ened to prevent damage (to orbiter components required for de-orbit, . 
re-entry, and landing) for the condition of the worst possible attitude 


COUE RPC REF. 

X 1 G P IV-3.1 

V-II-3.1 


X 4 R Rl 

1 

i 

IV-3.4 

I 

X 4 R RHV-3.4 

f 

1 

X 4 R R 

IV-3.4 


"-II-3.4 

X 4 R - 

J -3.4 ! 

V-Il-3.4 

i 

X 4 R P 

1 

IV- 3.4 

V- II-3.4 

X 4 R R 

IV-3.4 


7-II-3.4 


■HR 


L re-entry, and 
acceleration. 
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HAZA RD/E MER GEN CY ANALYSIS 
(CONTINUED) 

PAGE _3_ OF _3_ 

NO. 

1.1. QQ9 

DATE 

8-12-71 


HAZARD/EMERGENCY 

Loss of attitude/translation control of upper stage vehicle upon release from orblter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

15. Coverings around the upper stage vehicle tanks shall be provided 
to prevent any leak from becoming directional and Imparting un- 
wanted attitude or translation motion. 

16. J. Orblter hardware required for abort shall be located remotely 

from the cargo bay, or protected against the potential effects of j 
cpper stage vehicle explosions which would not cause primary orbiteri 
structure failure. ! 

17. All orblter hardware contained in and near the orblter cargo bay I 

shall be capable of being functionally Isolated fro-.: those com- 
ponents necessary for de-orbit, re-entry and landing so that an ! 
accident in the cargo bay shall not prevent orblter abort. j 

18. The trajectories of the orblter and the upper stage vehicle shall 
be continually compared following release, and a means for 
shutting down the upper stage vehicle shall be provided if a 
collision appears imminent. 


CODE RGD REF. 
- 2 G P 

X 1 R R IV-3.1 


X 1 R R IV-3.1 


X 4 R R IV-3.4 

V-II-3.4 
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HAZARD/EMERGENCY ANALYSIS 

Page 1 of 2 


PROGRAM 

SHUTTLE 

X 

SORTIE 

X 

STATION 



NO. 

1.1.010 

DATE 

8-13-71 


HAZARD/EMERGENCY [ 


1‘Tource 

i« i ■ 


II-2 


1.2 


Hangup of upper stage vehicle during release from orbiter. 


TaMPT'i'W?" - — — — 

1. Attachment methods will be the same as currently required for boost vehicles. 


Explosive Bolts 

Agena 

Centaur 

Trans tage 

Burner II 

X 

SM OOS/Tug 

Linear Shaped Charge 
Not Defined 

X 

X 

X 


X 

X 


TygTfMTT~E7Fiers — — 

1. Damage to orbiter structure and equipment from random motion of the upper stage vehicle 
in an extended position. 


2. Inability of the orbiter to re-enter because of the open cargo bay doors. 


REQUIREMENTS A GUIDELINES 1 


1. Redundancy shall be provided in the means for separating the upper 
stage vehicle. No single failure shall result in unprogrammed motion 
o. the upper stage vehicle. 


CODE 


X 1 R P 


RGD REF. 


IV- 3.1 

V- II-3.1 


?.W. The upper stage vehicle shall be extended and released outside of the 
cargo bay such that upper stage vehicle rotation about any one attach- 
ment point in any direction upon release, will not impact any part of 
the orbiter. 

3. Special orbiter attitude and translation motions shall be planned to 
assist release of any single residual connection with the upper stage 
vehicle. 


X 1 R R 


[IV-3.1 

V-II-4.1 


X 4 G R 


IV- 3.4 1 

V- II-4.1 


4. Orbiter to upper stage vehicle connections shall be designed for 
emergency manual release by orbiter crew member in extravehicular 
activity. 


X 1 R R 


IV- 3.1 ; 

V- II-3.1 I 




5. Emergency release of the extension mechanism shall be possible in 
order to save the orbiter at the expense of the upper stage vehicle. 

(Continued on Page 2.) 


I RESOLVED HAZARD 
| RESIDUAL HAZARD 

'w i mect 


& 


RECOMMENDED (X) OR NOT ( -) 
NO. OF HRPS (1. 2, 3, 4) 
REQUIREMENT (R OR fiUID&INE 
PREVENTIVE (P) OR REMEDIAL 


W- 
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X 1 R R 


IV-3.1 


! 

J 

i; 


X X X X 



HAZARD/EMERGENCY 

Hangup of upper stage vehicle during release from orblter. 



NO. 

1.1.010 

DATE 

8-13-71 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

6. X. Procedures shall be available for extra-vehicular Inspection ant’ 

release or re-attachment of partially released upper stage vehicles 
in orbit. 

7. Procedures shall be available to apply unidirectional translational 
or rotational acceleration to the orblter in the event of a partial 
release of the upper stage vehicle in the extended position to pre- 
vent random motion. 



CODE 

X 4 R R IV-3.4 
V-II-3. 


-4 G 
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HAZARD/EMERGENCY ANALYSIS 


Page 1 o f 


PROGRAM 


SHUTTLE 

X 

SORTIE 

X 

STATION 



NO. 

1.1.011 

DATE 

8-16-71 


HAZARD/EMERGENCY | 


SOURCE 


II-2.1.2 


Rupture of common bulkhead tanks in upper stage vehicle while in or near orbiter. 


ASSUMPTIONS 


1. Some upper stage vehicles will use common bulkhead tanks, e.g.. Centaur. 


y p6tential effects' 

A propellant combination which could burn immediately (for hypergolics) or could become 


r 

« 

I 

I 

1 an explosive mixture (for cryogenics) capable of being detonated by a small 
input. Orbiter damage would be catastrophic in either case. 

energy 


I 

REQUIREMENTS & GUIDELINES | 

CODE 

RGD REF. 

‘f 

js 

f 

1 

1. For upper stage vehicles with propulsion tanks using common bulkheads, 

X 3 R P 

IV-3.3 


differential pressure between the two tanks, common bulkhead strain, 


V-II-3.3 

| 

or other indications of potential failure, shall be monitored by the 



1 

i 

Orbiter crew. 



f 

k 

tir 

2. For upper stage vehicles with propulsion systems using common bulk- 

- 2 G P 

_ 

k 

heads, venting of the high pressure tank shall be automatic when a 



tr. 

1 

sy- i 

high differential pressure or strain is measured between the two tanks, 



v 

rt* 

3, Capability shall be provided for the orbiter crew to selectively 

X 2 R P 

IV-3.2 

> 

pressurize or vent each tank of an upper stage vehicle using a 


V-II-3.2 


common bulkhead. This capability shall be available with the orbiter 



*1 ' 

cargo bay doors open or closed. 




4. H. Pressurizing gas on upper stage vehicles shall be turned off until 

X 4 R P 

IV-3.4 


immediately prior to release of the vehicle from the orbiter. 


V-II-3.4 


5. D. Relief capability shall be provided for the upper stage vehicle tanks 

X 2 R P 

IV-4.2 


which automatically limit maximum pressure. Venting shall be to 


V-II-3.2 

; 

space or to a tank at lower pressure, and shall be arranged so that 




mutually reactive fluids cannot mix and result in a fire or explosion. 

v y v v 


i 

(Continued on Page 2.) 

A A A A 

1 1 1 1 



RESOLVED hazard 


RESIDUAL HAZARD 
-ft .r-SS-3138 


(X) OR ROT (-) 
NO. OF HRPS 1. 2. 3, 4) 


RECOMMENDED 


nw# wr rm r* u> *** — 

REQUIREMENT (R) OR GUIDELINE (G)< 
PREVENTIVE (P) OR REMEDIAL (R) - 


i 


D-44 







HAZAP D/EMERGENCY ANALYSIS 

(CONTINUED) page 2 of 2 


NO. 

1.1.011 

DATE 

8-16-71 


HAZARD/E V.ERGENCY 

Rupture of common bulkhead finks in upper stage vehicle while in or near orbiter. 


(LIST ADDITIONAL CONTENT IN "HE ORDER OF SHEET 1.) 
REQUIREMENTS & GUIDELINES (cont) 

CODE 

RGD REF. 

6. G. Capability shall be provided for the orbiter crew to vent and dump 
upper stage vehicle pressurized or hazardous fluids to space within 
the time constraints imposed by an abort situation. This capability 
shall be available with the cargo bay doors open rr closed. 

X 2 R P 

IV- 3.2 

V- II-3.2 

7. For upper stage vehicles with ’•ropulsion systems using common bulk- 
heads, the design of the propulsion system shall only allow press- 
urization of both tanks to occur simultaneously , so as not to exceed 
the allowable differential pressure. 

X 1 R P 

V-II-3.1 







HAZARD/EMERGENCY ANALYSIS 


P.'lgl' I C) 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


z 

o 

• 

L. 1.012 


DATE 

8-17-71 




HAZARD/TMERGENCY 


SOURCE 111-2.1.2 


Loss of pressurization In pressure stabilized upper stage vehicle structure while In 
or near orb iter. 


OttifMilMSl 


1. upper stage vehicles will use a pressure stabilized structure, e.g, the Centaur. 

2. It is desirable to return a collapsed upper stage vehicle to earth rather than 
abandon it in orbit. 


ENTIA 


1. Reparable or permanent damage to the upper stage vehicxe. 

2. Damage to orbiter equipment and structure from collapse of the upper stage vehicle. 


REQUIREMENTS & GUIDELINES 


1. A backup means shall be provided for the orbiter crew to vent or 
pressurize upper stage vehicles with a pressure stabilized structure. 

2. The support structure of a pressure stabilized upper stage vehicle in 
the shuttle shall allow shuttle de-orbit, re-entry and landing follow- 
ing loss of pressurization in the upper stage vehicle while in the 
orbiter cargo bay in orbit. 

3. F. Capability shall be provided to detect potential tank failures by 

measurement of fluid pressures, temperatures, tank strains, or other 
means. 

A.J.Orbiter hardware required for abort shall be located remotely from 
the cargo bay, or protected against the potential effects of upper 
stage vehicle explosions which would not cause primary orbiter 
structure failure. 

5.N.A11 orbiter hardware contained in and near the orbiter cargo bay 
shall be capable of being functionally isolated from those com- 
ponents necessary for de-orbit, re-entry and landing so that an 
accident in the cargo bay shall not prevent orbiter abort. 

Continued on Page 2.) 



RECOMHENOED (X) OR NOT ( -} — 

NO. OF HRPS 1. 2, 3, 4j — 
REQUIREMENT (R) OR 8UI0ELINE (Q)< 
PREVENTIVE (P) OR REMEDIAL (R) - 


CODE 

RGD REF. 

X 1 R P 

IV-3.1 


V-II-3.1 

X 1 G R 

IV-3.1 


V-II-3.1 


X 3 R P IV-3.3 

V-II-3.3 


X 1 R R IIV-3.1 


X 1 R R IV-3.1 


X X X X 












HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 2 OF 2 


1 . 1.012 

8-17-71 


HAZARD/EMERGENCY 

Loss of pressurization In pressure stabilized upper stage vehicle structure while in 
or near orbiter. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
REQUIREMENTS & GUIDELINES (cont) 


6. X. Procedures shall be available for extravehicular inspection and 

release or re- attachment of depressurized upper stage vehicles 
in orbit. 

7. Sufficient upper stage vehicle support shall be provided by the 
orbiter to prevent collapse during any transport phase, regard- 
less of pressure. 

8. The pressure stabilized structure shall be capable of being filled 
and stabilized with foam while in orbit following jettison or use of 
internal fluids. 



CODE 


X 4 R R IV-3.4 
V-II-3, 


- 2 G R 


- 2 G R 
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HAZARD/EMERGENCY ANALYSIS 

Page 1 of 2 


NO. 

1.1.013 

DATE 

8-17-71 


PROGRAM 

SHUTTLE 

X 

SORTIE 

X 

STATION 



HAZARD/EMERGENCY [ 


SOURCE I II-2.1.2 


Inability to dump propellants or pressurants in retrieved upper stage vehicle. 


ASSUMPTION? 


1. Upper stage vehicles retain their current complement of pressurized containers. 
(Continued on Page 2.) 


[ POTENflAL EFFECT'S ~~ “ ” 

Damage to orbiter structure and equipment from release of residual propellants or press- 
urants into the cargo bay. 


I 

\ 


I 

\ 

1 


J 

i 


i 

\ 


REQUIREMENTS & GUIDELINES] 

CODE 

RGD REF. 

1. Dumping of propellants and pressurants from a retrieved upper stage 

X 4 R P 

IV-3.4 

vehicle shall be accomplished before initiation of the shuttle orbiter 


V-II-3.4 

deorbit maneuver. 



2. Dumping of propellants and pressurants from a retrieved upper stage 

X 4 R P 

IV-3.4 

vehicle shall be controlled by the orbiter crew. 


V-II-3.4 

3. A backup means of dumping propellants and pressurants from a retrieved 

X 1 R P 

IV-3.1 

upper stage vehicle shall be available. 


V-II-3.1 

4. The orbiter auxilliary propulsion system shall provide an upper stage 

- 4 G R 

— 

vehicle propellant settling maneuver before firing of the 



orbit maneuvering system, de-orbit engines. 



5. An upper stage vehicle in which propellant and pressurants have not 

X 4 R R 

IV-3.4 

been dumped shall not be returned into the orbiter cargo bay. 

• 

V-II-3.4 

• 

X X X X 

I < t i 



> 

] 

» 

I 

i 

i 

i 


\ 

i 


1 RESOLVED HAZARD 

ra 


□ 


;x) OR NOT (-) 

1 . 2 . 3 , 4 ) 

REQUIREMENT (R OR WIDELINE 


RECOMMENOED 
NO. OF HRPS 


PREVENTIVE (P) OR REMEOIAL 
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HAZARD/EMERGENCY ANALYSIS 
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PAGE 2 OF 2 


NO. 

1.1.013 

DATE 

8-17-71 


HAZARD/EMERGENCY 

Inability to dump propellants or pressurants in retrieved upper stage vehicle. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
! ASSUMPTIONS (cont) 


2. (Continued) 


Agena 


Helium Tanks 
Nitrogen Tanks 
Nitrogen Tetroxide Tanks 
Aerozene -50 Tanks 
Hydrogen Peroxide Tanks 
Liquid Oxygen Tanks 
Liquid Hydrogen Tanks 
Monomethyl Hydrazine Tanks 
Water/Glycol Tanks 
Unsymmetrical Dimethyl 
Hydrazine 

Inhibited Red Fuming Nitric 
Acid 


Centaur 

X 


Transtage Burner II 


QOS /Tug 
X 
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HAZARD/EMERGENCY ANALYSIS 

Page 1 of 2 


PRO-AM 

SHUTTLE 

X 

SORTIE 

X 


STATION 



• 

o 

z 

1.1.014 

DATE 

8-17-71 


HAZARD/EMERGENCY [ 


SOURCE 


ln-2.1.2 



Inability to dump upper stage vehicle propellants or pressurants during orbiter abort. 


asSUMFtiOnIS | 


1. Upper stage vehicles retain their current comple-nent of pressurized containers. 
(Continued on Page 2.) 


}‘TOTtWrTAl , ’~ffyRT5‘^ 

1. Inability to return upper stage vehicle to earth. 


2. Damage to orbiter structure and equipment from overloading during de-orbit, re-entry 
and landing with fully loaded launch payload. 


REQUIREMENTS & GUIDELINES 


J 


CODE 


RGD REF. 


1* The orbiter shall have the capability to de-orbit, re-enter and land 
with a fully loaded upper stage vehicle as payload. 


X 1 R R 


IV-3.1 


2 . 


Sufficient propellants for orbiter de-orbit and landing with on-board, 
fully loaded upper stage vehicle shall be retained on the 
until main engine ignition of the upper stage vehicle. 


X 4 R R 


IV-3.4 


3. G. Capability shall be provided for the orbiter crew to vent and dump 
upper stage vehicle pressurized or hazardous fluids to space within 
the time constraints imposed by an abort situation. This capability 
shall be available with the cargo bay doors open or closed. 


X 2 R P 


IV- 3.2 

V- II-3.2 


X X X X 


RESOLVED HAZARD 


RESIDUAL HAZAkb 

' TRMS^nV 


RECOMMENDED 
NO. OF HOPS 


(X) OR NOT (- ) 
1 . 2 , 3 , 4 ) 


REQUIREMENT (r| OR SIDELINE (8)* 
PREVENTIVE (P) OR REMEDIAL (R) - 
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HAZARD/EMERGENCY ANALYS I S 

(CONTINUED) "age 2 of 2 


NO. 

1.1.014 

DATE 

8-17-71 


! HAZARD/EMERGENCY 

j 

I Inability to dump upper stage vehicle propellants or pressurants during orbiter abort. 


(LIST ADDITIONAL CONTENT IN THE 
ASSUMPTIONS (cont) 

ORDER 

OF SHEET 1.) 





(Continued) 

Agena 

Centaur 

Trans tage 

Burner II 

SM 

OOS/Tug 

Helium Tanks 

X 

X 

X 


X 

X 

Nitrogen Tanks 

X 


X 

X 

X 


Nitrogen Tetroxide Tanks 



X 


X 


Aerozene -50 Tanks 
Hydrogen Peroxide Tanks 


X 

X 

x 

X 


Liquid Oxygen Tanks 


X 



X 

X 

Liquid Hydrogen Tanks 


X 



X 

X 

Monomethyl Hydrazine Tanks 





X 


Water /Glycol Tanks 
Unsymmetrical Dimethyl 

X 




X 


Hydrazine 







Inhibited Red Fuming Nitric Acid X 






2. The shuttle is designed for a 

lower return 

payload weight tht\ it 

can 

deliver 


to orbit. 


3. The shuttle and its payload has achieved orbit. 
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HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


Page 1 of 2 


SHUTTLE 

X 

SORTIE 

X 

STATION 



• 

O 

z 

1.1.015 

DATE 

8-17-71 


SOURCE 1 

11-2.1*1 


HAZARD/EMERGENCY | SOURCE 1 II-2.^r2 

Inability to close cargo bay doors after retrieval of upper stage vehicle because of 
Interference with upper stage vehicle. 



NAL EFFECTS 


1. Inability of orbiter to re-enter. 

2. Damage to orbiter cargo bay doors or cargo bay. 

3. Damage or loss of upper stage vehicle. 

1 REQUIREMENTS & GUIDELINES 1 

1. Capability shall be provided for visual inspection of an orbiter 
payload before Initiating retrieval and loading into the orbiter 
cargo bay. 

2. Positive indication shall be provided to the orbiter crew that a 
retrieved payload has been properly secured in the cargo bay before 
closing the cargo bay doors. 


payload wif . the closing of the cargo bay doors and stopping the 
motion before damage results to the doors or the door mechanism. 

4. Means shall be provided for re-opening the cargo bay doors from any 
. partially closed position. 

5. Capability shall be provided for visual inspection of an orbiter 
payload in the orbiter cargo bay with the cargo bay doors open. 


extension, and release or re-positioning of improperly stowed upper 
stage vehicles in orbit. 

(Continued on Page 2.) 


CODE 

RGD REF. 

X 4 R P 

IV-3.4 


V- 1-4.1 


V-II-4.1 

X 3 R P 

IV-3.3 


V- 1-4.1 


V-II-4.1 

X 2 & R 

IV-3.2 

X 1 R R 

IV-3.1 

X 2 R P 

IV-3.2 

X 4 R R 

IV-3.4 


7-II-4.1 

tilt 



RESOLVED HA ZARD »— 
RESIDUAL HAZARD - » I 


ma m m a m or not (- ) — 

no. o r vm |i. 2, 3 , 4) — 

KflJIMHBT (Rj OR OUIO&IK (•) 

MevnnvE r or rkdml (rj - 
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HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 2 OF 2 


NO. 

1.1.015 

DATE 

8-17-71 


HAZARD/EMERGENCY 

Inability to close cargo bay doors after retrieval of upper stage vehicle because of 
interference with upper stage vehicle. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) CODE RGD REF . 

7. Capability for extra- vehicular activity shall be provided to die- X 2 R P IV-3.2 
connect, sever, or otherwise free cables, deployed mechanisms or 
other upper stage vehicle protruberances which could Interfere 
with retrieval and stowage in the orbiter. 

8. Positive indication shall be provided to the orbiter crew that the X 3 R R IV-3.3 
cargo bay doors have closed and latched befoi a Initiating de-orbit. 

9. The capability shall be provided on upper stage vehicles for remote X 1 G P IV-4.2 


emergency jettisoning of deployable equipment to allow retrieval 
and sfowage in the orbiter cargo bay. 


V-II-3.1 



0-33 




HAZARD/EMERGENCY ANALYSIS 

Page 1 of 2 



Exposure of the orbiter crew or passengers to a toxic environment released from a 
vessel in the payload containing a toxic fluid. 


a'SsUmWGns 


1. The payload is capable of being pressurized for manned occupancy. 

2. An airlock interface exists between the orbiter and the payload. 

3. Toxic or potentially toxic fluids are carried in the orbiter payload. 


[ PfrTENtlAL EFFECtS 

1. Injured or disabled orbiter crewmen or passengers due to toxic payload fluids aining 
access to the orbiter environmental control and life support system. 

2. Injured or disabled passengers in pressurized payload due to toxic payload environment. 

REQUIREMENTS & GUIDELINES I ~~ 


CODE 

RGD REF. 

1 R P 

V-I-3.1 
V-III- M 

3 R P 

V-I-3.3 

V-III-3.3 

3 R P 

V-I-3.3 

V-III-3.3 

2 R R 

V-I-3.2 

V-III-3.2 

2 R P 
XXX 

V-I-3.2 

V-3.7 


1. Y Toxic fluid containers shall be located in unpressurized volumes of 

pressurized payloads, or shall be double contained with the capa- 
bility of dumping the fluid to space or off-loading to another 
double container, and of venting the space between the two conta^^rs 
to space. 

2. Z Double contained toxic fluid containers shall be provided with means 

to detect leakage of the toxic fluid into the space between the con- 
tainers, and with means to detect penetration of the outside container 

3. a Means shall be provided for detecting a toxic environment in press- 

urized orbiter payloads containing toxic or potentially toxic fluids. 

4. b Emergency capability shall be provided to sustain personnel when in a 

manned payload, following detection of a toxic environment in the 
payload, until escape into the orbiter can be effected. 

5. c Special protective garments and equipment shall be provided for 

personnel working in a toxic environment or near potentially toxic 
payload elements . 


(Continued on Page 2.) 


RESOLVED HAZARD 
RESIDUAL HAZARD lx 


131 


RECONtENDED (X) OR NOT (- ) — 

NO. OF HRPS (1. 2. 3. <_ ) — 

REOUIRENBfT (Rj ON OUIMLINE («)■ 
PREVENTIVE (P) OR REMEDIAL (R) - 






HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 2 OF 2 


NO. 

1.2. QQ1 

DATE 

..8=10-71 


HAZARD/EMERGENCV 

Exposure of the orbiter crew or passengers to a toxic environment released from a 
vessel in the payload containing a toxic fluid. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 


REOUIREMENTS & GUIDELINES (cont) 

CODE 

RGD.REF. 

6.d Capability shall be provided to purge or dump to space a toxically 

X 1 R R 

V- 1-3.1 

contaminated atmosphere in a pressurized orbiter payload. 



7.e Capability shall be provided to purge or vent the orbiter airlock 

X 1 R P 

IV-3 . 1 


and tunnel to spac. following emergency egress of passengers from 
a toxic payload environment, or following IVA personnel entry for 
inspection and subsequent return to prevent the toxic environment 
from contaminating the orbiter crew and passenger compartment. 

8. f Means shall be provided to decontaminate personnel who have been 

exposed to a toxic environment in the payload which can be pro- 
pagated to the orbiter before entering the orbiter crew and 
passenger compartments. 

9. Means shall be provided for determining the presence of an 
unacceptable toxic environment in the orbiter as a result of 
toxic contamination in a payload. 

LO. Emergency capability shall be provided in the orbiter to purge the 
orbiter pressurized volumes of a toxic environment that may result 
from toxic contamination of a payload, and to sustain orbiter 
personnel during the purging operation. 


X 2 R R IV-3 . 2 


X 3 R P IV-3. 3 


X 1 R P IV-3 . 1 



■«* * 


HAZARD/EMERGENCY ANALYSIS 


PROGRAM 

SHUTTLE 

X 

SORTIE 

X 

STATION 

X 


HAZARDAMERGENCY 


Page 1 of 2 


NO. 

1.2.002 

DATE 

8-27-71 


SOURCE 


II-2.2.6 


I 


A fire in the cargo bay resulting from release and ignition of a flammable fluid 
in an unpressurized payload. 




The payload is unpressurized and contains vessels of flammable fluids. 




^pressurized payload 

Flammable fluid vessels 


2. Fire can be sustained in the unpressurized cargo bay long enough to 
cause damage. 

T tofENf[AL"£WTC H 

1. Damage to payload. 


2. Damage to orbiter structure and equipment in the cargo bay, possible preventing 


de-orbit, re-entry, and landing. 



1 REQUIREMENTS & GUIDELINES F 

CODE 

RGD REF. 

1. The orbiter cargo bay- shall be vented to space or the orbiter cargo 
bay doors shall be opened at all times while on-orbit to preclude 
buildup of pressures in die cargo bay capable of supporting combustion. 

X 1 R P 

r 

IV-3.1 

2. Fire detection and location capability, such as distributed thermo- 
couples, infrared detectors, or remote control TV, shall be provided 
in the cargo bay for use while the cargo bay doors are closed. 

X 3 R * 

IV-3.3 

3. Procedures shall be available for immediately initiating opening of 
the cargo bay doors if a fire is detected in the cargo bay while the 
doors are shut. 

X 4 R R 

IV-3.4 

4.g Instrumentation of payloads shall be provided to assist in isolating 
cause and source of fire. 

-3R * 


5.h Capability to release, eject, or extend the payload shall be provided 
so as to prevent damage to the orbiter at the expense of the payload. 

X 1 R R 

IV- 3.1 

V- I-3.1 
V-III-3.1 

6. i Capability shall be provided for the orbiter crew to vent and dump 
flammable or hazardous payload fluids to space within the time con- 
straints imposed by ah abort situation. This capability shall be 
available with the cargo bay doors open or closed. 

X 1R R 
X X X X 

a a * 

IV- 3.1 

V- I-3. 1 
V-III-3.1 


(Continued on Page 2.) 

RESOLVED HAZ ARD 
RESIDUAL MA£A*u~ | xj 

•»• .'i.-ann- 


RECGMENKD (X) OR NOT ( -) 

NO. OF HRESil. 2. 3, < ) — 

SSSKff/i! 5 fJSEih. 

PREVENTIVE (E) OR WBUL (NJ — 1 
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HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 2 OF 2 


NO. 

1.2.002 

DATE 

8-27-71 


HAZARD/EMERGENCY 

A fire in the cargo hay resulting from release and ignition of a flammable fluid 
in an unpressurized payload. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

7.j Capability shall be provided to switch off all electrical loads to 
payload from the orbiter. 


10 m Fire and heat resistant protection of orbiter to payload 
instrumentation interfaces shall be provided. 


CODE 

ilRP 


8.k Thermal insulation shall be provided on orbiter cargo bay structure to - 1 R P 
minimize orbiter structure absorption of radiated heat from payload 
fire. 

9.1 Thermal insulation shall be provided between orbiter cargo bay /pay load ~ 1 R P 

attach points and other physical interfaces to minimize thermal con- 
duction to orbiter structure. 


X 1 R 


11. A warning indication shall be provided to the orbiter. crew of a spilled - 1 G P 
flammable fluid or a fire hazard environment in the orbiter cargo hay. 

12. Capability shall be provided to deluge monopropellant and rhAm-t rai - 1 R P 

decomposition fires with cold inert gas to reduce or eliminate 

chemical activity if venting to space does not eliminate fire. 


-3. n Ignition sources in the orbiter bay , such as switches and relays , 
shall be sealed or otherwise contained so as to prevent ignition 
of flammable fluids. 


X 1 R P 


D-57 
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PROGRAM 


SHUTTLE 

SORTIE 

STATION 


HAZARL'/EMERGENCY ANALYSIS 


Page ^ of 


1.2.003 


8-27-71 



HAZARD/E MERGENCV 


SOURCE 


A fire in a pressurized payload in the cargo bay resulting from release and ignition 
of a flammable fluid. 


ASSUMPTIONS - 


The payload is pressurized, but not necessarily manned at all times, 

and contains vessels of flammable fluids. 

— . Pressurized payload 

/ _ Flammable fluid vessels 


2. Ignition sources will exist during manned operations in the payload. 

3. An airlock interface exists between the orbiter and the payload. 

POTENTIAL EFFECTS * 

1. Damage to payload. 

2. Rupture/explosion of the payload, leading to damage to orbiter. 

3. Injury or loss of personnel in the payload module. 


REQUIREMENTS & GUIDELINES 


CODE 


1 Jf Flammable fluid containers shall be located in unpressurized vol- X 1 R P 
umes of pressurized payloads, or shall be double contained with 
the capability of dumping the fluid to space or off-loading to 
another double container, and of venting the space between the 
two containers to space. 

2.Z Double contained flammable fluid containers shall be provided with X 3 R P 
means to detect leakage of the flammable fluid into the Space 
between the containers, and with means to detect penetration of 
the outside container. 


RGD REF. 


V-III-3. 


V-III-3. 


3. ® Means shall be provided for detecting a flammable or oxygen en- 

riched environment in pressurized shuttle payloads containing 
flammable fluids. 

4. Means shall be provided for detecting the presence of a fire in 
pressurized shuttle payloads. 


X 3 R P 


V-III-3. 


3 R 1 IV-3.3 


(Continued on Page 2.) 


X X X X 


RESOLVED HAZARD 
RESIDUAL HAZARD 


RECOMMENDED (X) OR NOT ( -) — 
NO. OF HRPS (1. 2, 3, 4, ) — 
REQUIREMENT (R) OR GUIDELINE (G) 
PREVENTIVE (P) OR REMEDIAL (R) - 
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NALYS I S 


PAGE 2 OF 3 


NO. 

1.2.003 

DATE 

8-27-71 


HAZARD/EMERGENCY 

A fire in a pressurized payload in the cargo bay resulting from release and ignition 
of a flammable fluid. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

5. Manually and remotely controlled means shall be provided in 
pressurized orbiter payloads for controlling and extinguishing 
fires . 


CODE R£f. 

X 2 R R IV-3.2 
V-I-3.2 
V-IIT-3.2 


6. Emergency life support shall be provided for all personnel in X 2 R R V-I-3.2 

manned orbiter payloads sufficient to allow them time to control I V-III-3.2 

a fire and/or escape to the orbiter. 

7. Capability shall be provided to isolate orbiter environmental X 1 R R 

control system from payload to prevent toxic fumes from entering 
the orbiter. 

8. Capability shall be provided to automatically shut off forced X 1 R R 

air circulation in a pressurised orbiter payload upon detection v-j.j.j.-j.x 

of a fire. 

9. Capability shall be provided to relieve atmospheric pressure from a .X 2 R R IV-4.1 

orbiter payload so as to prevent pressurization beyond the payload IV-4.3 

structural limits. This capability shall be automatic when the V-I-3.2 

payload is not manned, and under control of the occupants when V-III-3.2 

manned. The maximum dump rate shall not exceed the venting capa- 
bility of the orbiter cargo bay with the cargo bpy doors dosed* 

10. i Capability shall be provided for the orbiter crew to vent and dump X 1 R R IV-3.1 

flammable or hazardous payload fluids to space within the time V- 1-3.1 

constraints imposed by an abort situation* This capability shall 'V-III-3.1 j 

be available with the cargo bay doors open or dosed* 

11. d Capability shall be provided to purge or dump to space a toxically X 1 R R V-I-3.1 

contaminated atmosphere in a pressurised orbiter payload. V-III-3.1 

12 . j Capability shall be provided to switch off all electrical .loads to X 1 R P IV-3.1 

payload from orbiter. V— 1—3.1 

p-III-3.1 

(Continued on Page 3.) 


X 1 R R IV-3.1 
V-I-4.1 
V-T1It4.1 

X 1 R R V-I-3.1 

V-III-3.1 


iX 2 R R IV-4.1 

IV- 4.3 

V- I-3.2 
V-III-3.2 
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HAZARD/EMERGENCY ANALYSIS 


JC-D-N IJ N UE.m 


PAGE 3 OF 


NO. 

1.2.003 j 

DATE 

8-27-71 

1 

| 


HAZARD/EMERGENCY 

A fire in a pressurized payload in Che cargo bay resulting from release and ignlclon 
of a flammable fluid. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
REQUIREMENTS & GUIDELINES (cont) 


13 jci Ignition sources in orbiter pressurized payloads, such as switches 
and relays, shall be sealed or otherwise contained so as to prevent 
ignition of flammable fluids. 


X 1 R P 


IV- 3.1 

V- I-3.1 


14.h Capability to release, eject, or extend the payload shall be pro- 
vided so as to prevent damage to the orbiter et the expense of the 
payload. 


X 1 R P 


IV- 3.1 

V- I-3.1 


V-III-3. 1 


15 .g Instrumentation of payloads shall be provided to assist in isola- 
ting cause and source of fire. 


3 R P 




* 


16 .k Thermal insulation shall be provided on orbiter cargo bay structure 
to minimize orbiter structure absorption of radiated heat from pay- 
load fire. 


1 R P 


17.1 Thermal insulation shall be provided between orbiter cargo bay/pay-' 
load attach points and other physical interfaces to minimize thermal 
conduction to orbiter structure. I 


- 1 R P 


18. m Fire and heat resistant protection of orbiter to payload command 

and instrumentation interfaces shall be provided. 

19. Materials used in pressurized payloads shall be subject to the 
same flammability control procedures as those used within the 
orbiter pressurized volumes. 


X 1 R P 


X 1 R R 


IV- 3.1 : 

V- I-3.1 I 
V-III-3. lj 
V-I-3.1 i 

fV-III-3.1| 

I 

I 


i r 
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HAZARD/EMERGENCY ANALYS I S 

Page 1 of 2 


PROGRAM 

1 

SHUTTLE 

X 

SORTIE 

X 

STATION 

X 


__ NO._ 

1.2.004 

DATE 

8-27-71 


HAZARD/EMERGENCY | 


SOURCE >11-2.2.6 


A corrosive environment in the orbiter cargo bay resulting from leakage or rupture 
of a payload vessel containing a corrosive fluid. 


P^SSUMPfTONS' 

1. An airlock interface exists between the orbiter and the payload.- 
, 2. Corrosive fluids are carried in the orbiter payload. 


TpStential effects I 

t 

1. Damage to payload. 


2. Damage to orbiter structure and equipment in the cargo bay, possible preventing de- 
orbit, re-entry, and landing. 


REQUIREMENTS & GUIDELINES 


T 


CODE 


RGD REF. 


l.Y Corrosive fluid containers shall be located in unpressurized 

volumes of pressurized payloads, or shall be double contained with 
the capability of dumping the fluid to space or off-loading to 
another double container, and of venting the space between the 
two containers to space. 


X 1 R P 


V-I-3.1 

V-III-3. 




2.Z Double contained corrosive fluid containers shall be provided with 
means to detect leakage of the corrosive fluid into the space be- 
tween the containers, and with means to detect penetration of the 
outside container. 


X 3 R P 


V-I-3.3 

y-III-3.3 


3.d Capability shall be provided to purge or dunp to sp?ce a corrosive 
atmosphere in a pressurized orbiter payload. 


X 1 R R 


I V-I-3.1 
y-m-3.1 


4. V Cargo bay surface materials which may be exposed to leaking corro- 

sive fluids from payload shall be constructed or protected against 
corrosion. 

5. Instrumentation shall be provided to detect leakage of corrosive 
fluids from container or piping* 


X 1 G R 


IV-3.1 


- 1 R R 


(Continued on Page 2.) 


X X X X 


RESOLVED HAZARD 


RESIDUAL HAZARD 

X 


fWfr-SM134 


RECOMMENDED (X) OR NOT (-) — 
NO. OF HRPS 1, 2, 3, * ) — 
REQUIREMENT (R) OR GUIDELINE (G) 
PREVENTIVE (P) OR REMEDIAL (R) - 


. . D-61 
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HAZARD/EMERGENCY ANALYSIS 

ICONT INUEO) page 2 of 2 


NO. 

1.2.004 

DATE 

8-27-71 


HAZARD EMERGENCY 

A corrosive environment in the orbiter cargo bay resulting from leakage or rupture 
of a payload vessel containing a corrosive fluid. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 


REQUIREMENTS & GUIDELINES (cont) 

CODE 

RGD. REF. 

6. Access for visual inspection by lntravehicular activity or remotely 
by instrumentation shall be provided to all primary structure in- 
side the cargo bay < r equipment in the cargo bay required for return 
to earth. 

X 1 G r 

IV- 3.1 

V- I-4.1 
V-III-4.1 

7. Access for visual inspection by lntravehicular activity or remotely 
by ins tr unent at ion shall be provided to all primary structure of 
pressurized payloads while in the orbiter cargo bay. 

X 1 G R 

IV -4.1 

IV- 4.3 

V- 1-3.1 
V-III-3. 1 

8. Means shall be provided for the local application of radiant or 
other type of heat remotely or by personnel in 1VA or EVA 
activity to evaporate accumulations of frozen fluids from critical 
areas. 

X 2 R R 

IV- 3.2 

V- I-3.2 
VrIII-3.2 

9.0 Vented gases from the orbiter cargo bay shall not be allowed to 
flow past the orbiter propellant tanks. 

X 1 R R 

IV-3.1 

10iP Orbiter equipment and structure exposed to vented gases from the 
cargo bay shall be protected against the effects of corrosion and 
be capable of inspection on the ground. 

X 2 R R 

IV-3.2 

Ll.V Cargo bay surface materials which may be exposed to leaking 

corrosive fluids from payload shall be constructed or protected 
against corrosion. 

X 1 G R 

IV-3.1 

L2.e Capability shall be provided to purge or vent the orbiter airlock 
and tunnel space following emergency egress of passengers from 
a corrosive payload environment, or following IVA personnel entry 
for Inspection and subsequent return to prevent the corrosive 
environment from contaminating the orbiter crew and passenger 
compartment. 

X 1 R P 

IV-3.1 

3.f Means shall be provided to decontaminate personnel who have been 

X 2 E R 

IV-3.2 


exposed to a corrosive environment in the payload which can be pro- 
pagated to the orbiter before entering the orbiter ere*/ and pass- 
enger compartments. 


it . y 
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HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

X 

SORTIE 

X 

STATION 

X 


Page 1 of 3 

1*2.005 

8-27-71 


HAZARD/EMERGENCY 


SOURCE 


An explosion In the orbiter cargo bay of a potentially explosive payload vessel. 


ctwimiir* 


The orbiter payload Includes potentially explosive fluid tanka In (a) the unpressurized 
cargo bay, or (b) In a pressurized or unpressurized module which cannot contain the 
explosion. 




Damage to orbiter structure and equipment principally in cargo bay froms (1) Rupture of 
pressurized containers into fragments, (2) Initiation of a pressure wave producing shock, 
(3) Release of excessive fluid which Increases cargo bay pressure beyond venting capability 
and increases heat leaks into orbiter propellant tanks. 


REQUIREMENTS & GUIDELINES 


1. The factors of safety of pressure vessels while in or near the 
orbiter shall be at least equal to , the orbiter tank factors 
of safety. 

2. Gaseous content of pressurized tanks shidl be small enough so that 
rapid isen tropic expansion into -the orbiter cargo bay will not result 
in overpressure. 

3. C Tanks shall be designed so that failure due to overpressure will not 

produce shrapnel. 

4. Relief capability shall be provided for pressurized tanks which 
automatically limit maximum pressure. Venting shall be to space or 
to a tank at lower pressure, and shall be arranged so that mutually 
reactive fluids cannot mix and result in a fire or explosion. 

5. F Capability shall be provided to detect potential tank failures by 

measurement of fluid pressures, temperatures, tank strains, or other 

means . 

(Continued on Page 2.) 


CODE I RGD REF. 


X 1 G P IV-4.1 
IV-4.3 


X 1 R R 


X 1 G R 


X 2 R P 


X 3 R P 



XXX 




REC9MENKD (X) OR ROT ( 
NO. OP WPS 1,1,1 4 ' 















(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) 

6.1 Capability shall be provided for the orbiter crew to vent and dump 
pressurized or hazardous fluids to space within the tine constraints 
imposed by an abort situation. This capability shall be available 
with the cargo bay doors open or closed. 

7.1 Cargo bay thermal Insulation shall be desigued as a fragmentation 
blanket* 

8. Orbiter hardware required for abort shall be located remotely from 
the cargo bay, or protected against the potential effects of payload 
explosions which would not cause primary shuttle structure failure. 


X 1 R Id IV-3.1 


Always-open cargo bay vents to space shall be provided on the orbiter X 1 R 
which limit internal cargo bay pressures from leakage to the cargo 
bay allowable limits. 


IV-3.1 


10 X Relief valves shall be provided on the orbiter for automatic cargo 
bay venting when the always-open vents are inadequate, in order to 
increase the allowable flow from inside to outside and to protect 
against re-entry ingestion through always-open vents* 

1131 Cargo bay doors shall be open at all times in earth orbit. 

1231 All orbiter hardware contained in and near the orbiter cargo bay 
shall be capable of being functionally isolated from those com- 
ponents necessary for de-orbit, re-entry and landing so that an 
accident in the cargo bay shall not prevent orbiter abort. 

L3. Pressurized tanks shall be located or protected by shrapnel proof 
barriers so that explosion of one will not propagate to others. 

L4. Pressurized tanks shall be located or provided with shrapnel proof 
barriers so that orbiter crew and passenger compartments and equip- 
ment required for orbiter return to earth will be protected in the 
event of a tank explosion. 


-1 G 


X 4 G R IV-3.4 
X 1 R R IV-3.1 


X 1 R R V- 1-3.1 
1 r -III-3. 

X 1 R R IV-4.1 

IV- 4.3 

V- I-3.1 
V-III-3 


(Continued on Page 3.) 


I>-*4 









HAZARD/EMERGENCY 

An explosion in the orbiter cargo bay of a potent!: "v explosive payload vessel. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
REQUIREMENTS & GUIDELINES (cont) 


15. Blowout plugs shAll be provided for pressure release from payload to 
space. 

16. Blowout panels shall be provided in orbiter cargo bay which could 
be re-sealable after use. 


CODE RjGD REF 
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HAZARD/EMERGENCY ANALYSIS 


Page 1 of 3 


PROGRAM 


SHUTTLE 


SORTIE 

X 

STATION 

X 


NO. 

1.3.001 

DATE 

8-17-71 


HAZARD/EMERGENCY f 


T SOURCE 11 - 2 , 3. 4 J 


Spillage or leakage of hazardous fluid or material during manual transfer in 
pressurized modules. 


TassumptIons' 


Hazardous fluids or materials are not carried in or transported through the orbiter 
crew and passenger compartments or through the airlock. 


— I i 


" Ppotential effects | ~ 

1. Injury or loss of personnel. 

2. Damage to spacecraft equipment. 


REQUIREMENTS & GUIDELINES! 

l.o Hazardous fluids or materials shall be double contained during 
handling and transfer in pressurized areas. Capability shall be 
provided to verify the integrity of both containers before and 
after transfer. 

2. p Capability shall be provided to vent the space between double 

containers for hazardous fluid handling to space and for dtmping 
the fluid to space or off-loading to another container. 

3. q Procedures shall be available for handling and transferring 

hazardous fluids or materials in a pressurized area from a singly 
penetrated double container to a storage container without releas- 
ing fluid or material to the spacecraft atmosphere. 

4. r A lower pressure than the ambient atmosphere shall be maintained 

in containers of hazardous fluids or materials during handling and 
transfer in pressurized areas. 

(Continued on Page 2.) 


CODE 


X 2 R P 


X 2 R P 


X 4 R P 


RGD REF . 

|V-I-3.2 

-III-3.2 


kr-i-3.2 

y-m- 3 .a 


V-I-3.4 
y-iii-3.4 


-1 G P 


X X X X 


RESOLVED HAZARD 


RESIDUAL HAZARD 

' fPWC®*315S 


RECOMMENDED (X) OR NOT ( ) — 
NO. OF HRPS (1. 2, 3. 0 «— 
REQUIREMENT (R) OR GUIDELINE (G)- 
PREVENTIVE (P) OR REMEDIAL (R) - 


i 

K 


D-6* 






HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 2 OF 3 



HAZARD/EMERGENCY 

Spillage or leakage of hazardous fluid or material during manual transfer in 
pressurized modules. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
REQUIREMENTS & GUIDELINES (cont) 


5. s A separate volume with an isolated environmental control shall be 

provided for testing and opening suspect hazardous fluid or mater- 
ial cargo containers. This volume shall have the capability to 
vent and dunp the material to space and to be purged of hazardous 
fluid or material. 

6. t Means shall be provided for detecting the presence of spilled 

hazardous fluids or materials while being handled or transferred 
between pressurized modules. 


CODE 
- 1 G P 


RGD REF 


X 3 G R 


7.b Emergency capability shall be provided to sustain personnel when in a x 2 rr 
manned payload, following detection of a toxic environment in the 
payload, until escape into the orbiter can be effected. 


8. c Special protective garments and equipment shall be provided for 
personnel working in a toxic environment or near potentially 
toxic payload elements. 


X 2 R R 


9 . d Capability shall be provided to purge or dunp to space a toxlcally X 1 R R 

contaminated atmosphere in a pressurized orbiter payload. 

10. u Manual handling and transfer of hazardous fluids or materials shall X 4 R P 

be carried out by two or more personnel who shall have no other 
duties during this operation. 


11. v During handling and transfer of hazardous fluids or materials, 
no other manned operations shall be planned along the transfer 
path . 

jL2.w Mutually reactive fluids shall not be handled or transferred 
! simultaneously. 

3.x The pressures, temperatures, or other parameters which Indicate 
the status of hazardous fluids or materials shall be verified 
before they are transported. 


X 4 R P 


X 4 R R 


X 4 R P 


Continued on Page 3.) 
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HAZARD/EMERGENCY 

Spillage or leakage of hazardous fluid or material during manual transfer in 
pressure zed modules . 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
REQUIREMENTS & GUIDELINES (cont) 


CODE 


RGD REF. 


14. > Hand carried cargo shall be limited to 45 kg (100 lb) mass, pro- 
vided the center of mass is within 35 cms (14 ins.) of the 
handhold. Cargo which exceeds these limits shall be transported 
with mechanical assist. 


X 4 R P 


15. z Cargo in which a rupture or leakage through the containers would 
result in uncontrolled motion of the cargo because of propulsive 
forces beyond a single man's capability to control or because 
toxicity requires immediate abandonment and evacuation of the 
area shall not be hand-carried. 


X 4 G R 


16 . aaPackaging of hand-carried cargo shall be provided with multiple 
hand holds, shall allow forward visibility by the controlling 
personnel, and shall be capable of surviving impact against a sharj 
object at 3 m/sec (10 ft/sec) . 


X 2 R P 


V-I-3.2 

V-III-3.2 


17.bbProvisions shall be made for rapidly securing hand-carried cargo 
to various structural points along the transfer path so as to 
prevent loss of control of the cargo in the event of an emergency. 


X 2 R P 


V-I-3.2 

V-III-3.2 


18. cc Emergency procedures shall be available for handling, containing, 
and disposing of spilled hazardous fluids or materials so as to 
safeguard the personnel, orbiter and payload, in that order. 


X4RR 


V-I-3.4 

V-III-3.4 


i 








HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


Page 1 of 3 


1.3.002 


8-17-71 



hazard/emergency 


I SOURCE | 11-2.3,4 


Spillage or leakage < hazardous fluids or materials during mechanically assisted 

or remote transfer otassurized modules. 

“ "assDWptTS NS 

1. Mechanical assist may range from a simple guide-rail for transportation by hand, 
to fully automatic mechanism or fluid transfer system remotely and with no 
physical manned participation. 

2. Hazardous fluids or materials are not carried in or transported through 
the orbiter crew and passenger compartments, or through the airlock. 


! POTENTIAL EFFECTS 


1. Injury or loss of personnel. 

2. Damage to spacecraft equipment. 


REQUIREMENTS & GUIDELINES 


l.o Hazardous fluids or materials shall be double contained during 
handling and transfer in pressurized areas/ Capability shall be 
provided to verify the integrity of both containers before and 
after transfer. 

2 . p Capability shall be provided to vent the space between double 

containers for hazardous fluid handling to space and for dunping 
the fluid to space or off-loading to another container. 

3. q Procedures shall be available for handling and transferring 

hazardous fluids or materials in a pressurized area from a singly 
penetrated double container to a storage container without releas- 
ing fluid or material to the spacecraft atmosphere. 

4. r A lower pressure than the ambient atmosphere shall be maintained 

in containers of hazardous fluids or materials during handling and 
transfer in pressurized areas. 


CODE | RGD REF. 


X 2 R P 


X 2 R P 


X 4 R P V-] 


-1 G P 


(Continued on Page 2.) 


XXX 


RESOLVED HAZARD 

R[~ ,r >UAL HAZARD X 


RECOMMENDED (X) OR NOT ( 
NO. OF HRPS (1, 2, 3, O 


■ we wr rmr* iii *» » — 

REQUIREMENT (R) OR GUIDELINE (G)- 
PREVENTIVE (P) OR REMEDIAL (R) - 

D-69 









5^ **»n '*' -t * ' ' • *'- *“&■•- #*'•*> ■ -»r - 


HAZARD/EMERGENCY ANALYSIS 

(CONTINUED) page 2 of 3 


NO. 

1.3.002 

DATE 

8-17-71 


HAZARD/EMERGENCY 

Spillage or leakage of hazardous fluids or materials during mechanically assisted 
or remote transfer in pressurized modules. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 


REQUIREMENTS & GUIDELINES (cont) 

CODE 

RGD REF 

5.® A separate volume with an isolated environmental control shall be 
provided for testing and opening suspect hazardous fluid or mater- 
ial cargo containers. This volume shall have the capability to 
vent and disnp the material to space and to be purged of hazardous 
fluid or material. 

- 1 G P 


6.t Means shall be provided for detecting the presence of spilled 
hazardous fluids or materials while being handled or transferred 
between pressurized modules. 

X 3 G R 

V-I-3.3 

V-III-3.3 

7.b Emergency capability shall be provided to sustain personnel when in a 
manned payload, following detection of a toxic enviomment in the 
payload, until escape into the orbiter can be effected. 

X 1 R R 

V-I-3.2 

V-III-3.2 

8. c Special protective garments and equipment shall be provided for 
personnel working in a toxic environment or near potentially 
toxic payload elements. 

X 2 R R 

V-I-3.2 

V-III-3.2. 

9.d Capability shall be provided to purge or dtmp to space a toxically 
contaminated atmosphere in a pressurized orbiter payload. 

X 1 R R 

V-I-3.1 

V-III-3.1 

10. v During handling and transfer of hazardous fluids or materials, 
no other manned operations shall be planned along the transfer 
path. 

X 4 R P 

V-I-3.4 

V-III-3.4 

11. w Mutually reactive fluids shall not be handled or transferred 
simultaneously . 

X 4 & R 

V-I-3.4 

V-III-3.4 

12. x The pressures , temperatures, or other parameters which indicate 
the status of hazardous fluids or materials shall be verified 
! before they are transported. 

X 4 R P 

V-I-3.4 

V-III-3.4 

•3. Transfer lines for hazardous fluids shall be located outside of 
pressurized vessels or shall be double walled with the capability 
of venting the space between the two containers to space. 

(Continued on Page 3.) 

X 1 R R 

V-I-3.4 

V-III-3.4 


1 rry-M.-'inn Td-70 
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Spillage or leakage of hazardous fluids or materials during mechanically assisted 
or remote transfer in pressurized modules. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
REQUIREMENTS & GUIDELINES (cont) 


14. Plumbing connections for hazardous fluid transfer in pressurized 
areas shall be double contained with the capability of venting 
the space between the two containers to space. 

15. Transfer lines in pressurized areas, including double walled 
lines, shall be purged after the transfer of hazardous fluids 
and before breaking plumbing connections. 

16. Cargo beyond the limits allowed for hand transfer shall be trans- 
ferred on guide rails or other mechanisms which positively con- 
strain the angular and line as motion of the cargo except in the 
direction of motion. 


CODE RGDREF 


X 1 R R V-I-3,1 
V-III-3. 


X 4 R P V-I-3.4 
V-III-3. 


X 1 R P V-l-3.1 
V-III-3.: 


17. ddCargo handling mechanisms shall allow for stoppage of the motion, 

reversal of the motion, or release of the cargo at any point 
along the transfer path. 

18. eeThe transfer of cargo with mechanical assist shall either be 

visually monitored by personnel who are free of other duties, 
or shall be provided with sensing devices which automatically 
stop the motion if the cargo Interfaces with structure or 
equipment . 

19. ff Personnel will not be located during cargo transfer in positions 

which can result in their entrapment if the cargo transfer mech- 
anism fails. 

20. ggEmergency procedures shall be available for the release, handling 

and transportation of remotely controlled cargo in the event of 
failure of the handling mechanism, or of damage to the packaging 
of the cargo. 

| 

21. hhCargo handling mechanisms shall be designed to withstand the pro- 

pulsive forces that would result from a leaking or ruptured fluid 
cargo. 


X 1 R P V-I-3.1 
V-III-3. 1 


X 4 R P V-I-3.4 
-111-3*4 


X 4 R R V-I-3.4 
V-III-3. 4 


X 4 G P V-I-3.4 
-III-3.4 


X 1 R R I V-I-3.1 
V-III-3. 1 


D-71 











HAZARD/EMERGENCY ANALYSIS 


Page _1_ of 2 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


1.3.003 


8-20-71 



HAZARD/EMERGENCY 


I SOURCE | II-2.3.4 


Spillage or leakage of hazardous fluid or material during remote transfer in 
unpressurized area. 

TassumTtTS'ns I 


1. Mechanisms for cargo transfer may range from being fully under manned control • to 
fully preprogrammed and automated. 

2. Hazardous fluids or materials are not carried in t cr transported through , the 
orbiter crew and passenger compartments or through t.h*s airlock. 


Damage to spacecraft structure and equipment. 


CODE | RGD REF. 



tbti& 





















HAZARD/EMERGENCY 


Spillage or leakage of hazardous fluid or material during remote transfer In 
unpressurized area. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 


REQUIREMENTS & GUIDELINES (cont) 


CODE 


RGD REF 


6. ee The transfer of cargo with mechanical assist shall either be 

visually monitored by personnel who are free of other duties, 
or shall be provided with sensing devices which automatically 
stop the motion if the cargo interfaces with structure or 
equipment . 

7. gg Emergency procedures shall be available for the release, handling 

and transportation of remotely controlled cargo in the event of 
failure of the handling mechanism, or of damage to the packaging of 
the cargo. 

8. hhCargo handling mechanisms shall be designed to withstand the pro- 

pulsive forces that would result from a leaking or ruptured fluid 
cargo. 

9. Separate lines shall be used for the transfer of fuel and oxidizer. 


X 4 R P 


V-I-3.4 

V-III-3.4 


X 4 G P 


V-I-3.4 

V-III3.4 


X 1 R R 


V-I-3.1 

V-III-3.1 


X 1 R R 


V-I-3.1 


F-III-3.1 


D-73 
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PROGRAM 


SHUTTLE 

SORTIE 

STATION 


HAZARD/EMERGENCY ANALYSIS 


Page _1 _ of 


_NO. 

1.3.004 

DATE 

8-20-71 


j SOURCE I Ifr-2 . 3 . 


HAZARD/EMERGENCY 


Failure of transfer mechanism and/or loss of control of cargo during transfer In 
pressurized or unpressurized areas. 

[ ASSUMPTIONS | 

Possible failure modes include: 

a. Cargo moving loose In zero g. 

b. Cargo moving attached to runaway cargo transfer mechanism. 

c. Cargo jammed. 




Injury to personnel. 

2. Damage to spacecraft structure and equipment. 


REQUIREMENTS & GUIDELINES 


Cargo of more than 45 kg (100 lb) mass, or hazardous cargo shall be X 2 R R 
tethered at all times during handling and transfer In pressurized 
areas either to the spacecraft structure or to the transfer mech- 
anism so as to limit the possible travel of the cargo following a 
failure of the primary cargo attach mechanism. 


CODE | RGD REF. 


IV-3.2 


2. Automatic and/or crew controlled emergency means shall be provided 
for shutting off power and arresting the motion of cargo transfer 
mechanisms. 

3. Cargo shall be packaged during transfer so as to have no exposed 
sharp edges or corners. 

4. Crew controlled cargo transfer velocity shall be limited so that 
the cargo can at all times be stopped within the visible range. 

5. Emergency procedures shall be available for releasing cargo which 
has become jammed In hatches or other restricted areas without 
causing damage to the spacecraft structure or equipmert. 

(Continued on Page 2.) 

RECOMMENDED (X) OR NOT (— ) 

— , NO. OF HRPS (1. 2, 3. \ , - 


P WUjW I X 

uhwhJ ha£551 


NO. OF HRPS 11. Z, 3. % I — 
REQUIREMENT (A) OR GUIDELINE 6)- 
PREVENTIVE (P) OR REMEDIAL (R) - 


X 2 R R 


X 1 R R 


X 1 R P 


|X 4 R R 


It % 1 l 










HAZARD/EMERGENCY 


I Failure of transfer mechanism and/or loss of control of cargo during transfer In 

pressurized or unpressurized areas. 


I 

a 

i 

£ 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (cont) CODE 

6.u Manual handling and transfer of hazardous fluids or materials shall X A R P 
be carried out by two or more personnel who shall have no other 
duties during this operation. 


7.y Hand carried cargo shall be limited to 45 kg (100 lb) mass, pro- 
vided the center of mass Is within 35 cms (14 Ins.) of the 
handhold. Cargo which exceeds these limits shall be transported 
with mechanical assist. 


X 4 R P 



8.z Cargo In which a rupture or leakage through the containers would 
result In uncontrolled motion of the cargo because of propulsive 
forces beyond a single man's capability to control or because 
toxicity requires Immediate abandonment and evacuation of the 
area shall not be hand-carried. 


X 4 G R 


9 . aaPackaglng of hand-carried cargo shall be provided with multiple 
handholds , shall allow forward visibility by the controlling 
personnel, and shall be capable of surlvlvlng impact against a sharp 
object at 3 m/sec (10 ft/sec) . 


X 2 


R P 


10 ^Provisions shall be made for rapidly securing hand-carried cargo |X 2 R P 
to various structural points along the transfer path so as to 
prevent loss of control of the cargo In the event of an emergency. 

ll^erhe transfer cf cargo with mechanical assist shall either be |X 4 R P 

visually monitored by personnel who are free of other duties, 
or shall be provided with sensing devices which automatically 
8 top the motion if the cargo Interfaces with structure or 
equipment. 

12ffPersonnel will not be located during cargo transfer In positions |X 4 R R 
which can result In their entrapment If the cargo transfer mech- 
anism fails. 


13. Cargo beyond the limits allowed for hand transfer shall be trans- 
ferred on guide rails or other mechanisms which positively con- 
strain the angular and linear motion of the cargo except In the 
direction of motion. 

(Continued on Page 3.) 


X 1 R P 


RGD REF 


IV- 3.4 

V- I-3.4 
V-IiI-3.4 

IV- 3.4 

V- I-3.4 
V-III-3.4 


IV- 3.4 

V- I-3.4 
V-III-3.4 


IV- 3.2 

V- I-3.2 
V-III-3.2 


IV- 3.2 

! V-I-3.2 

V- III-3.2 

IV- 3.4 

V- I-3.4 
V-III-3.4 


IV- 3.4 

V- I-3.4 
V-III-3.4 


IV- 3,1 

V- I-3.1 

•V-III-3.1 








HAZARD/EMERGENCY ANALYSIS 
(CONTINUED) 


PAGE 3 OF 3 







S 






HAZARD/EMERGENCY \ | SOURCE 1-11-2.3 4 | 

A radioactive environment In a sortie nodule or space station, resulting from 
exposure or escape of radioactive material during transfer and handling of radioactive 
materials . 




1. Equipment exposure to radiation environment Is not hazardous. 

2. Radioactive materials will be carried in pressurized sortie modules and space 
station modules only, but these may be unmanned at times. 

3. Normal precautions for radioactive materials are included as part of the experiment. 

4. Typical radioactive sources are identified below ‘ 

(Continued on J'age 2.) 

• potential effects I 

i 

1. Exposure of orbiter, sortie module, or space station personnel to excessive 
radiation. 


2. L„s 8 of control of radioactive material. 


REQUIREMENTS & GUIDELINES 


CODE 


1. Spare shielded containers shall be available In which radioactive X 2 R R 
materials can be temporarily stored In the event of an accident. 

2. Means shall be provided for locating radioactive material which X 2 R R 
has been Inadvertently released In a module. 

3. The environmental control systems of modules containing radioactive - 1 R R 
material which can result in unacceptable radloactlvlt levels In 

the event the radioactive material Is released in the atmosphere, 
shall be capable of operating without contaminating the atmosphere 
of the orbiter or other interfacing spacecraft or modules. 

4. Capability shall be provided to rapidly evacuate personnel from X 1 R R 

and seal off radloactively contaminated modules until they can be 
returned to earth. 

5. The environmental control systems of modules containing radioactive - 1 R R 
material shall be capable of extracting and containing radioactive 
material inadvertently released :’.n the atmosphere. 

M J ][ 

6. Means shall be available for decontaminating equipment and personnel x x x x 

exposed to radioactive material and for storing and returning to , 
earth radloactively contaminated^c^o|hlng. ^n^ ojjft^r ^ma terial. | 

NO. OF HRPS ill 2. 3, ) 

RESOLVED HA ZARD REQUIREMENT (ftl^RGUIDELINEjS) » [ 

BCC1IMI4I ui7Aftn I PREVENTIVE IP) OR REMEDIAL (Rj 


X 1 R R 


- 1 R R 


URR 

X X X X 


RESIDUAL HAZARD 




PREVENTIVE (P) OR REMEDIAL 


D-77 











HAZARD/EMERGENCY ANALYSIS 

(CONTINUED) page 2 of 2 


NO. 

1.3.005 

DATE 

8-13-71 


i HAZARD /EMERGENCY 

I 

A radioactive environment in a sortie module or space station, resulting from 
exposure or escape of radioactive material during transfer and handling of radioactive 
materials. 


(LIST ADDITIONAL CONTENT IN TUI ORDER OF SHEET I.) 


ASSUMPTIONS (cont) 





4. (Continued) 

i Source 

| " 

Quantity 

Discipline 

Experiment 

Usage 

Co 60 or Cs 137 

2-3 curies 

Life Sciences 

Radiobiology 

Gamma Isotope 
Radiation Source. 

C-14 Methionine 

t 

1 

Sr89 

Unknown 
10 m. - * lli- 

Life Sciences 

Role of gravity 
in life process- 
es of microscopic 
organisms and 
cultured tissues. 



curies 

Life Sciences 

Effect of the 
space tnvironmt ^ 
on invertebrate 
behavior. 

Radiation Source 
for tribolium 
experiments . 


^TT7-Vi- jJ3T"‘ 


J 

* 

j 

f 3 




V 


D-73 


♦ 





HAZARD/EMERGENCY ANALYS I $ 


PROGRAM 


SHUTTLE 

X 

SORTIE 


STATION 

X 


H/ZARD/EMERGENCY | 

Impairment of visibility at critical moment during docking. 


NO, 2.1.001 
DATE 110-1 8-71 

SOURCE) H-3.2.3 


i ASSUMPTIONS | 

1. Direct visual or video visual cues are required to maneuver vehicle to contact alignment. 

2. Sunlight and/or artificial light are required for docking. . 

3. Crew optical alignment or video monitor aids are required. 

A. The orbiter is the active docking vehicle. 


[ POTENTIAL EJECTS i 

1. Eye or vidicon damage from direct or reflected light. 

Inadvertent vehicle contact and damage caused by loss of visual cues. 


1 REQUIREMENTS A GUIDELINES I CODE RGO REF. 

1. Maneuvering procedures during docking shall preclude directing sunlight X 4 R P IV-3.4 

into controlling crew's eyes or into the vidicon tubes of the visual y-III-4 .: 

system. ! 

2. The reflectance or surfaces on docking vehicles and the docking system X 1 R P IV-3.1 

that are visible to the controlling crew and T.V. cameras shall be V-III-3.: 

below eye and vidicon damage levels. 

3. The vidicon tubes for docking shall be designed for low sensitivity to X 1 G P IV-3.1 

tula image burn. V-III-3.. 


4. Redundant or replaceable lighting provisions shall be provided for 
docking. 


X 1 R P IV-3.1 

V-III-3.: 


5. Redundant or replaceable vidicon tubes shall be provided for docking. X 1 R R IV-3.1 

V-III-3.: 


6. Redundant or replaceable video monitors shall be provided. 


X 1 R R IV-3.1 

v-in-3.: 


|7. Window, vidicon, and EVA visor filters shall be provided to protect eyes X 2 R P IV-3.2 

and camera from docking laser light damage. V-III-3.! 

X X X X 


RESOLVED HAZARD] X 
RESIDUAL HAZARD] 

1 .r-SS-3138 


RECOMMENDED (X) OR NOT (“) — 

NO. » HRPS }l, 2. 3, 4. > — 

REQUIREMENT (R) OR 0UI0ELINE «)< 
PREVENTIVE (P) OR REMEDIAL (R) - 

*-79 



PROGRAM 


SHUTTLE 

SORTIE 


STATION 


HAZARD/EMERGENCY ANALYSIS 


2.1.002 


10-18-71 


HAZARD/EMERGENCY 


Loss of vehicle control prior to docking contact, 


SOURCE 




| 

Active vehicle rotational control Is a rate command, reaction jet control system with 
attitude hold capability. 

Active vehicle translation control Is an acceleration command, reaction jet control 
system. 

Active vehicle Is flying to target vehicle alignment of Its docking system, docking 
system Is being extended, vehicle translated to cause contact at docking Interface. 


POTENTIAL EFFECTS 


Inadvertent vehicle contact and damage. 
Damage to docking system. 

Inability to dock. 


REQUIREMENTS & GUIDELINES I I CODE RGD REF. 


. The reaction jet control system shall provide redundancy to preclude X 1 R P IV-3.1 
"jet stuck off" conditions. V-III-3. 


The rate command and rate/attitude feedback loops of the rotational 
control system shall provide redundancy to preclude "open loop" 
failures. 


X 1 R P IV-3.1 


Inhibit capability shall be provided to control the "jet stuck on" 
condition. 


X 2 R R 


IV- 3.2 

V- III-3. 2 


Automatic docking system stowage command capability shall be provided. - 1 G R 

The translational command circuits shall provide redundancy to preclude X 1 R P 
"open circuit" failures. 

The docking system shall be designed to operate with continuous couaand XI ER 
of the control system in the event that minimum impulse command has 
been lost. 


IV-3.1 


IV-3.1 


XXX 


RESOLVED HAZAR D 
RESIDUAL HA^AitO 
«— 


RECOMENDEQ (X) OR NOT (~) 

NO. O f MIPS jl, 2, 3. V ) — 

REQUIREMENT (R) OR RUIKLINE ft)- 
MEVENTIVE ft) OR RBCDIRL (R) - 


I 









HAZARD/EMERGENCY | 

Loss of vehicle control after initial contact during docking, 


SOURCE I 1It3 , 2 ,3 , 


■GSSiilQfi 


1. Capture has been accomplished. 

2. Both vehicles are in attitude hold. 


ENTIAL EFFECTS 


1. Jackknifing vehicle contact and damage. 

2. Jackknifing vehicles damage to capture interface release system. 
13. Vehicle damage from excessive reaction jet plume impingement. 


REQUIREMENTS & GUIDELINES 


1A. The reaction jet control system shall provide redundancy to preclud* 
•'jet stuck on" and jet stuck off" conditions. 

2B. The rate command and rate/attitude feedback loops of the rotational 
control system shall provide redundancy to preclude "open loop" fail 

3C. Inhibit capability shall be provided to control the "jet stuck on" 
condition. 


CODE 

RGD REF. 

X 1 R P 

IV-3.1 


V-III-3.1 

X 1 R P 

IV-3.1 

X 2 R R 

IV-3.1 


V-III-3.1 

X 1 R R 

IV-3.1 


V-III-3.1 


Thermal protection shall be provided to prevent jet plume impingement 
damage from an out-of-control docking vehicle. 


1 G R 


The docking system shall be designed to withstand normal jackknifing X 1 R R I IV-3.1 
vehicle dynamics and will limit attitude excursions to within pre- p-III-3.1 

scribed limits as determined by vehicle geometry to prevent inadvertent 
vehicle contact. 


X X X X 


RESOLVED HAZARD 
RESIDUAL HAZARD 
IT >-83-3138 


RECOMMENDED (X) OR NOT (-) — 

NO* OF HNFS 1. E, 3, < ) — 

REQUIREMENT (R) OR GUIDELINE G) 
frSentive (F) OR REMEDIAL (A) - 

Ml 









HAZARD/EMERGENCY ANALYSIS 


PROGRAM 

SHUTTLE 

X 

SORTIE 


STATION 

X 


NO. 

2.1.004 

DATE 

10-18-71 


HAZAUD/EMEROENCY | 


SOUKCt I 


a- 3 . 7 . 3 i | 


Failure to inhibit attitude hold of one vehicle after capture, during docking. 


" ’xsrowTOEK — 

1. Capture has been accomplished. 

2. Attitude held must be done by one vehicle only during and after rigidizing to avoid 
attitude control system incompatibilities. 


~ Y P6TENTIAL EFFECtS j 

1. Docking system damage by oscillating motion and loads. 

2. Vehicle damaged from failed extendible docking system. 

3. Vehicle damage from excessive reaction jet plume impingement. 


I REQUIREMENTS A GUIDELINES I 

1. Positive, redundant indication of docking capture latch shall be 
provided the vehicle which is to inhibit its control system. 


X 


CODE RGD REF. 
3 E R IV-3.3 

V-III-3. ■ 


2. Either manual and/or redundant automatic attitude hold inhibit functions 2 R P JlV-3.2 
shall be provided to the applicable docking vehicle on indication of I V-III-3. 2 

capture. 


3. 


The docking system shall be capable of withstanding vehicle oscillation 
and loads generated by inadvertent attitude control system activity of 
either or both vehicles during draw down to rigidize the capture inter- 
face. 


X 


1 


R R 


p- 3 - 1 J 


4. Thermal protection shall be provided to prevent jet plume impingement 
damage from docking vehicles within the design angular and linear 
misalignments. 


X 1 R R 


IV-3.1 

IV- 4.1 

V- III-3. 1 
V-III-4.ll 


5. Control system inhibit switches shall be protected from inadvertent 
activation or deactivation. 


X 2 R P 


IIV-3.2 
I V-III-3. a 


1 

PlESn^L - HAZAID-| 1 

T T i MB-TOr 1 


RECOWENDED (X) OR NOT (-) — 

NO. OF MBS (1. I, 3, < ) 

PREVENTIVE (P) OR RSmDIRL (R) 


M2 


X X X X 
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HAZARO/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

X 

SORTIE 


STATION 

X 


2.1.005 


DATE 10-18-71 


HAZARD/EMERGENCY | 

Loss of docking system function or control. 


SOURCE I W-3.2.3 


The docking system functions considered are from deployment of module from orblter cargo 
bay to completion of rigldizing. 


TENTIAL EFFECTS 


1. Vehicle damage caused by loss of attenuation control. 

2. Damage to latch ~s and failure to dock attempting to use prematurely actuated latches. 

3. Crew fatality d *e to explosive decompression if seal latches release after pressurization 
of interface. 

Crew inlurv caused by failed release of latch stored energy. 


REQUIREMENTS & GUIDELINES I CODE RGD REF. 


1. Positive indication of cargo bay door deployment and closure shall be X 3 R R IV-3.1 
provided. 

2. Positive indication of docking capture latch status shall be provided X 3 R R IV-3.3 

to assure they are each (1) armed, (2) triggered, (3) engaged, and V-III-3. 

(4) locked. 

3. Positive, redundant indication of docking port seal latch status shall X 3 R R 
be provided to assure they are each (1) armed, (2) triggered, (3) 
engaged, and (4) locked prior to opening transfer tunnel. 

4. Capability shall be provided to recycle both capture and seal latches X 1 R R 
on the docking system from any nhase of their status. 


5. Docking latching systems recycle switches shall be protected from 
inadvertent activation. 


X 2 R P 


6. Docking latch power source shielding shall be provided to protect crew - 1 G P 
from failure release of stored energy. 

7. Translation acceleration command minimum Impulse capability shall be 
provided to permit station keeping drift to a minimum and reduce 
attenuation requirements. 


RESOLVED HAZARD 


[ Ml g 1 


RECOMMENDED (X) OR NOT (- ) 
NO. OF HRPS (1, 2, 3 ' ' 


PREVENTIVE (P) OR REMEDIAL (R 


D»83 ’ 











HAZARD/EMERGENCY ANALYSIS 


(C T.J Niii HJ page of 


NO. 

2.1.005 

im 

10-18-71 


HAZARD/EMERGENCY 

Loss of docking system function or control. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

POTENTIAL EFFECTS (continued) 

5. Entry prevented by failure to separate from core module, stow core module, or close 
cargo bay doors. 


REQUIREMENTS & GUIDELINES (continued) 


CODE RGD REF. 


8. Bore sight alignment of video or direct visual view with the 

center line or the docking interface from a point not greater than 
2.0 meters from the docking plane shall be provided to reduce 
contact energy misalignment. 


X 1 G P 


IV-3.1 


9. Docking port environmental covers shall be deployed and not 
jettisoned. 


X 1 R P 


IV- 3.1 

V- III-3. 


t mp-ss-j n a r 


D-84 | 
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HAZARD/EMERGENCY ANALYS I S 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


2,1.006 

10-18-71 


HAZARD/EMERGENCY 


SOURCE I II-3.2.3 


Failure of orb Iter payload module deployment mechanism. prior to docking. 




The payload module must be deployed from the orblter cargo bay, such as manipulators 
or a rotatable mechanism, prior to docking the module. 

The returned payload module is stowed into the orblter cargo bay by the same 
mechanism before the orblter can return to earth. 


1. Docking prevented by failure of deployment release. 

2. Partially deployed module prohibits entry of orblter. 

3. Recontact with cargo bay causes module or cargo bay damage. 


REQUIREMENTS & GUIDELINES 


1. Positive means for jettisoning the payload module shall be provided 
the event of a failure of the payload deployment mechanism. 

2. Guiderails or similar device shall be provided to prevent recontact 
between payload module and cargo bay in the event of deployment 
mechanism failure. 

3. Positive means for jettisoning or collapsing payload deployment 
mechanism shall be provided if mechanism will at any point in the 
deployment destruct the closure of the cargo bay doors. 



CODE 

RGD REF. 

in 

X 1 R R 

IV-3.1 


X 1 R R 

IV-3.1 


X 1 R R 

IV-3.1 


RESOLVED HAZARD . 
RESIDUAL HAZARD X 


RECOMMENDED (X) OR NOT (-) 


NO* OF HRFS (1. 2, 3* 4 ) — 

REQUIREMENT (RJ OR 6UIDELINE (8) 
PREVENTIVE (P) OR REMEDIAL (RJ - 


X X X X 










HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


NO. 2.1.007 

DATE 10-18-71 


HAZARD/EMERGENCY 


Hardware protrusions In the docking tunnel. 


SOURCE 


The docking tunnel Is used for personnel transfer when the two vehicles are docked and 
rlgldized. 


Injury to crew from bumping Into protrusions. 


REQUIREMENTS & GUIDELINES 


1. All hardware In the docking tunnel will be flush mounted to Interior 
walls of the cargo/crew transfer tunnel. 


CODE RGD REF, 

X 1 R P IV-3.1 

.V-III-3.1 


IX X X X 




mamaa it) or rot (- ) 


NO. OP WPS (1. 2, 3, 4 ) — 

RtflJIflCNMT (R) OR 0UI0CL1HE (•)* 
MEVCNTtVE (P) OR RBCDML (R) - 









HAZARD/EMERGENCY ANALYSIS 


& 

i 


v 


'r 


i 

* 


i 

y 


PROGRAM 

SHUTTLE 

X 

SORTIE 


STATION 

X 


HAZARD/EMERGENCY [ 


NO. 

2.1.008 

DATE 

10-18-71 


SOURCE \ II-3.2,3> 1 


Unsecured equipment and personnel luring docking. 


~ ASSUMPTIONS — | 

1. The accelerations during docking are not severe enough to cause injury to personnel 
or damage to equipment. 

2- The velocity changes during docking are not large, but can result in out-of-control 
motions for un tethered objects. 


I ' paTEN T rer to ot h 

1. Injury to crew caused by accelerated objects and crew. 


Hardware damage. 


REQUIREMENTS & GUIDELINES,^ 

CODE 

RGD REF. 

1. Stowage or tie down shall be provided for crew and critical equipment 

X 2 G P 

IV-3.2 

during docking. 


V-III-3. 

2. Annunciator warning to all personnel shall be provided prior to manned 

X 3 R * 

17-3.3 

docking maneuvers. 

i 

V-III-3. 

i 




1 





RECOMMENDED (X) OR NOT (- ) — 

NO* OF MRS (1, t, ). 4 ) — 

KflUIRMMT (R) OR DUIDELINE l)« 
mVENTIVE (P) OR MNEDIRlIr) - 


X X X X 


T V 


W7, 



HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE x 
SORTIE 
STATION I 


NO. 2.1.009 

DATE 10-18-71 


HAZARD/tMERGENCY 


SOURCE P 11-3.2,3 


Degradation of life support system during docking. 




.. The docking maneuvers are under crew control. 
2. The orblter Is the active docking vehicle. 


,. Loss of consciousness at critical moment during docking. 
>. Vehicle uamage caused by loss of control. 


REQUIREMENTS & GUIDELINES 


1. Emergency life support provisions shall be available to the docking 
crew during docking operations. 


CODE RGD REF. 


X 1 R P IV-3.1 


U U 


LVED HAZARD 


I DUAL 


X) OR SOT (- ) 


HO. O F ms (1, 1» l» A V — 
KOMMMT JR) OR RUtOkLiHE («)- 
WfWHTWi (P) OR RMIXL (R) - 


I 








HAZARD/EMEROENCY | 

Docking hatch opened when pressure equalization incomplete. 


ENTIA 


. Crew injury or fatality from hatch impulse and explosive decompression. 
: . Hatch damage . 

I. Inadvertent environment loss. 


REQUIREMENTS & GUIDELINES 


1. Means shall be provided to equalize pressures on both sides of a 
hatch before opening it. 


CODE 


X 2 R P 


2. The pressures on each side of a hatch shall be verified before opening X 4 R P 
the hatch. 

3. Means shall be provided to verify the integrity of a docking hatch seal X 3 R P 
before separating a docked module or vehicle. 

A. Stops shall be provided on hatches to prevent uncontrolled opening if X 1 R P 
opened when a pressure differential exists. 


RECOMMENDED (X) OR NOT (- ) 


RESOLVED HAZARD 
RE5IDUAL HAZARD 


NO. OF HRFS |1. 2, 3, 4 ) — 
REQUIREMENT (R) OR 8UIDCL1NE (8) 
PREVENTIVE F) OR REMEDIAL (R) - 
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HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

X 

SORTIE 


STATION 

X 


NO. 

2.1.011 

DATE 

10-18-71 


HAZARD/Ef URGENCY | 

Electric discharge during initial docking .contact. 


{source | '. 1 1-3.2. 3, [ 




■■? 

•A 


A&UMPtlONS 


1. Static electricty differential can exist between docking vehicles. 


POTENTIAL EfFEdTS [ 


1. Instrumentation overload damage. 

2. Crew electric shock. 

3. Inadvertent pyre initiation. 

4. Fire/explosion from spark ignition of environment. 


7 REQUIREMENTS l GUIDELINES I " ™ — — — 

1. Circuit breaker protection of all interface instrumentation shall be 
provided. 

2. All docking interface equipment shall be grounded. 

3. Electrical umbilicals shall be grounded until connection of the 
docking interface. 


CODE 


X 2 R R 

X 1 R R 
X 1 R R 


IV- 3.2 

V- III-3. 


IV-3.1 

-III-3.1 

IV-3.1 

V-III-3. 1 


X X X X 


RESOLVED HAZARD IX 


RESIDUAL HAZARD j 1 

3Tjr — =J — *- 


(X) OR ROT (- ) — 

NO. O f MBPS }l ( 2, S, 4 ) — 

Koiinen (R) or ouioaiic («)■ 
nSvENTIVE (P) OR REMEDIAL (ft) - 


RGD REF. 


% 


h 


9 D-90 










HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHJTTLE 

X 

SORTIE 


STATION 

X 


HAZARD/EMERGENCY 


NO, 2.2,001 

DATE 10-25-71 


SOURCE 1 11-4,2.2.4 


Loss of vehicle control in close proximity to other vehicle .during docking. 


ASSUMPTIONS 


The direct docking system is used, which requires the docking vehicles to be flown 
into close proximity. 


POTENTIAL EFFECTS 


Inadvertent vehicle contact and damage. 
2. Failure to dock. 


REQUIREMENTS & GUIDELINES 


[Requirements and guidelines are the same as 2.1.002] 


CODE I RGD REF. 


RESOLVED HAZARD 
RESIDUAL HAZARD | X 


RECOMMENDED (X) OR NOT (- ) 


NO. OF HRPS (1. 2, 3, 4 ) — 

REQUIREMENT (R) OR GUIDELINE (fi) 
PREVENTIVE (P) OR ^MEDIAL (R) - 










HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

X 

SORTIE 


STATION 

X 


2.2.002 

10-25-71 


HAZARD/EMERGENCY 


SOURCE 



\m 


ENTIAL EFFECTS 


Docking system overload structural damage. 
Failure to dock. 


REQUIREMENTS & GUIDELINES 


Thermal blanket temperature control of hydraulic components shall 
provide proper operating temperature. 


CODE RGD REF. 


X 1 R P IV-3.1 

/-III-3.1 



XXX 












PROGRAM 


HAZARD/EMERGENCY ANALYSIS 


SHUTTLE 

X 

SORTIE 


STATION 

X 


HAZARD/EMERGENCY 


SOURCE 


2.3.001 

10-25-71 


11-3.2.4 


Loss of vehicle control prior to docking contact by extendable tunnel. 


ASSUMPTIONS 


1. The extendable tunnel docking system Is used. 

2. Separation distance of the two vehicles prior to docking contact Is such that collision 
by two vehicles Is not likely. 


I 


POTENTIAL EFFECTS 


,. Structural damage to extendable docking system. 
2. Failure to dock. 


CODE RGD REF. 














HAZARD/EMERGENCY ANALYS I S 


PROGRAM 


SHUTTLE X 

SORTIE 

STATION X 


NO. 2.3,002 

DATE 10-25-71 


HAZARD/EMERGENCY 


SOURCE 


Loss of vehicle control after capture by extentable tunnel docking system. 




The extendable tunnel docking system is used. 


ENTIAL E 


.. Structural damage to extendable system caused by buckling. 
!. Damage to vehicles by contact. 

1. Failure to dock. 


REQUIREMENTS & GUIDELINES 


[Requirements and guidelines are the same as 2.1.003] 


CODE | RGD REF. 


RECflMENOED (X) OR NOT (- ) 


no. ofm% (1, 2, S, ♦ ) <— 

RCgUHKMEJIT (R) OR OUIOELINE (0) 
MVCNTXVE (t) OR RMDML (R) - 


XXX 










HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


NO. 2.3.003 

DATE 10-25-71 


HAZARD/EMERGENCY 


SOURCE 


II-3.2.4 


Loss of pressure In the pneumatic extension and energy absorption 
mechanism of the docking system. 




1. The extendable tunnel docking system is used. 

2. A pneumatic single or double walled tunnel is used for achieving the docking system 
extension and for attenuation. 


ENTIAL EFFECTS 


Contact damage to vehicle caused by failure of energy attenuation system. 
Failure to dock. 


REQUIREMENTS & GUIDELINES 


Positive redundant indication of the pneum 
status of the extendable docking system sh 


RESOLVED HAZARD 


RECOMMENDED 
NO. OF HRPS 
REQUIREMDIT 
PREVENTIVE 


CODE RGD REF. 


X 3 R R IV-3.3 
V-III-3. 














HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


NO. 2.4.001 

DATE 10-25-71 


HAZARD/EMERGENCY 


SOURCE 


Loss of vehicle control prior to capture by manipulator during docking. 




II-3.2.4 


1. The manipulator docking system is used. 

2. The manipulator is deployed and fully extended prior to initial contact maneuvers. 


TENTIAL EFFECTS 


|l. Structural damage to extended manipulator arms. 

Structural damage to vehicle from collapsed arms, 
b. Failure to dock. 


COOE RGD REF. 












H AZARD/tMER GE'NC Y ANALYSIS 


PROGRAM 


SHUTTLE X 
SORTIE ; 
STATION : X 


Nfc p .^>002 

mTl 10 - 25^71 


HAZARD/EMERGENCY 


Loss of vehicle control after capture by manipulator during docking. 




1. The manipulator docking system Is used. 

2. The manipulator moves the two vehicles towards each other for docking after capture. 


.. Structural damage to manipulator arms caused by vehicle jacknife dynamics, 
:. Structural damage to vehicle from collapsed arms. 

I. Failure to dock. 


REQUIREMENTS & GUIDELINES 


■ssisnmzEinii 





I 


t 
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HAZARD/EMERGENCY ANALYSIS 


PROGRAM 

SHUTTLE 

X 

SORTIE 


STATION 

X 


HAZARD/EMERGENCY | 

Loss of manipulator joint motor control during docking. 


NO. 

2.4.003 

DATE 

10-25-71 


f SOURCE 


II-3. 2.4 | 


pA$SUM7fT0'NS' | 

1. The manipulator docking system Is used. 

2. The manipulator uses electrical, hydraulic or other power activated motors at each 
joint for controlling Its motion. 

3. The manipulators are installed In the orblter, but not In the Space Station. 


~ T>^rNfT2I~~EF?Egfsn 

1. Inadvertent vehicle/docking system contact damage . 

2. Vehicle contact through loss of relative motion control. 

3. Failure to dock. 

4. Loss of personnel if the docked module is used for personnel transfer. 


REQUIREMENTS & GUIDELINES) 

CODE 

RGD REF. 

1. Control feedback loops shall be provided on each manipulator joint 
control which limit motion when excessive forces or torques are 
experienced. 

X 2 R R 

IV-3.2 

2. Redundant joint motor power supply circuits shall be provided on 
manipulators . 

X 1 G P 

IV-3.1 

3. Arm joint on manipulators shall be designed to lock on indication of 
joint control or motor failure. The lock shall Incorporate a slip 
clutch capability to prevent structural failures. 

X 2 R R 

IV-3.2 

4. A manipulator inhibit or "freeze" capability shall be provided. 

- 1 G R 

- 

5. Electrical or mechanical stops shall be provided to prevent the 
manipulator from being driven into surfaces of its own vehicle. 

X 2 G R 

IV-3.2 

6. Modules which are used for personnel transfer by manipulator docking 
shall be provided with EVA pressure suits for all on-board personnel, 
and with EVA exit capability so that the personnel can escape to 
the orblter or the Space Station in the event the module becomes 
| stranded between vehicles by a manipulator failure. 

- 1 R R 
X X X X 

a a a . 



■ 

RECOHMENDEO (X) 0* NOT (- ) 1 

NO. OF MPS 11. 2. 3. 4 ) -- 1 


V 

ttSOLVeD HAZARD 


REqUlREKNT J>) ON WJ0ILINEJ6) 



RESIDUAL hAzard 

T 





D-98 




1 
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HAZARD/EMERGENCY ANALYSIS 
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NO. 

2.4.003 

DATE 

10-25-71 


HAZARD/EMERGENCY 

Loss of manipulator joint motor control during docking. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET 1.) 
REQUIREMENTS & GUIDELINES (continued) 

CODE 

RGD REF. 

7. Modules which are used for personnel transfer by manipulator docking 
shall provide emergency life support for all on-board personnel until 
they can be rescued by external means in the event the module becomes 
stranded between vehicles by a manipulator failure. 

- 1 R R 


8. Personnel will only be transferred between the orbiter and the 
station through a rigidly connected docking interface between the 
two vehicles. 

X 4 R R 

IV- 3.4 

V- III-3. 

9. Two or more manipulators shall be provided in a manipulator docking 
system. Each manipulator shall be capable of performing docking 
by itself , and shall also be capable of continuing any docking 
function in the event of a failure of the other manipulator at any 
stage of the docking. 

X 1 R R 

IV-3.1 

7-III-3.1 

10. An emergency jettisoning capability shall be provided for manipu- 
lators, independent of the normal manipulator system. This shall 
be capable of jettisoning the manipulator and configuring the 
orbiter for reentry and landing following a failure or accident 
which does not allow stowage of the manipulator. 

X 1 R R 

IV-3.1 




HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

X 

SORTIE 


STATION 



HAZARD/EMERGENCY 


2*4.004 

DATE 1 10-25-71 


^ so me E I 11-3*2.4 


Los 8 of manipulator computer aided control system during docking 




1. The manipulator docking system is used. 

2. The control system Is computer aided. 

3. The manipulators are Installed in the orbiter, but not in the Space Station. 




.. Inadvertent vehicle/docking system contact damage. 

:. Vehicle contact through loss of relative motion control. 

1. Failure to dock. 

■. Loss of personnel if the docked module is used for personnel transfer. 


REQUIREMENTS & GUIDELINES 

1. Redundant control feedback loops shall be provided each axis of X 
computer aided control for the manipulator. 

2. The manipulator computer aided control system shall fail to the X 

"no command" mode. 

3. hanual override of computer aided manipulator control rhall be X 

provided. 


CODE 

RGD REF. 

X 1 R P 

IV-3.1 

X 1 G R 

IV-3.1 

X 1 R R 

IV-3.1 


X X X 




RECOMCNOCO (X) OR NOT (- ) 


NO. OF MIPS (1. t. I, 4 ) — 


D-100 











1. D Space station modules which are used in the free flying docking 

mode shall be provided with redundant means for communication, 
guidance, control, power, propulsion, and other functions critical 
to the docking. 

2. E The operational status of systems on Space Station modules which 

are used in the free flying docking mode, including redundant 
systems, shall be verified before the module is separated from 
the orb iter or station. 


CODE RGD REF. 


1 R F 


- 4 R F 


XXX 


RESOLVED HAZARD 
RESIOUAL HAZARD 


RECOMMENDED (X) OR NOT (“ ) — 
NO. OF HRPS (1. 2, 3, 4 ) — 
REQUIREMENT (R) OR GUIDELINE (6)- 
PREVENTIVE (P) OR REMEDIAL (R) - 










HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


_NO. 

2.5.002 


DATE 

10-25-71 



HAZARD/EMERGENCY 


II-3.2.5 


Loss of propulsion or control capability during docking by manned free flying module, 

| assumTtTSns ~ "" 

1. The free flying module docking mode Is used. 

2. The free flying module Is manned by crew and/or passengers, but may be controlled 
from on-board or from the orblter or station. 

3. The life support system capability is for a few hours only, and emergency rescue 
or escape can exceed this duration. 


• potential effects 

I 


1. Vehicle damage by contact. 

2. Stranded free flying module. 

3. Loss of on-board personnel. 


REQUIREMENTS & GUIDELINES ! CODE I RGD REF. 

1. A The reaction jet control system shall provide redundancy to preclude X 1 R P V-IH-3,1 

"jet stuck off" conditions. 

2. B The rate commend and rate/attitude feedback loops of the rotational X 1 R P V-TIT-3.1 

control system shall provide redundancy to preclude "open loop" 

failures . \ 


3. C Inhibit capability shall be provided to control the "jet stuck on" 

condition. 

4. D Space Station modules which are used in the free flying docking 

mode shall be provided with redundant means for communication, 
guidance, control, power, propulsion, and other functions critical 
to the docking. 

5. E The operational status of systems on Space Station modules which 

are used in the free flying docking mode, including redundant 
systems, shall be verified before the module is separated from 
the orbiter or station. 

6. F Emergency procedures shall be available for the orbiter to pursue 

and, if possible, dock to a Space Station module used in the free 

flying module docking mode which has lost control* These procedures 

shall allow personnel escape or REC( ^ E [® E D J* ^OT (- ) 

NO* Or HRPS (If 3f 4 ) l I , 11 1 

RESOLVED HAZARD REQUIREMENT (R) OR GUIDELINE (G) 

RESIDUAL HAZARD T" PREVENTIVE (P) OR REMEDIAL (R) 


L-jifi-sSSlWil 


X 2 R Ry-III-3.2 


- 1 R P 


- 4 R P 


- 4 R R 

X X X X 
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• 

o 

2 

2.5.002 

l DATE 

10-25-71 


HAZARD/EMERGENCY 


Loss of propulsion or control capability during docking by manned free flying module. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET 
REQUIREMENTS & GUIDELINES (continued) 


I.) 


CODE 


R6D REF. 


6.F (continued) 


rescue within their life support capability. 


- 4 R R 


7.G 


Pressure suits and back packs shall be provided for all personnel 
on-board Space Station modules used in the free flying module 
docking mode. These suits shall be suitable for emergency 
EVA escape to a nearby Space Station or orbiter. 


2 R R 


8.H An airlock capability which allows all on-board personnel to 
perform EVA emergency escape shall be provided on-board Space 
Station modules used ir the free flying module docking mode. 
This may be provided by a separate 2-nan airlock, or may be 
an integral capability of the whole module. 

9.1 Emergency life support capability for all on-board personnel 
shall be provided on Space Station modules used in the free 
flying docking mode until emergency escape or rescue can be 
achieved. 


- 1 R R 


- 2 R R 


"llMF-SS-JTW 


< 5*103 






HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 1 

SORTIE 



STATION 



NO. 

2.5,00? 

DATE 

10-25-71 


HAZARD/EMERGENC Y I | SOURCE | Ai 

Loss of life eupnort capability during docking by manned free flying module. 


II-3.2.5" 


"aSOTFtTSns 
1. The fr< 


The free flying module docking mode is used. 

The free flying module is manned by crew and/or passengers, but may be controlled 
from on-board or from the orbiter or station. 

The life support system capability is for a few hours only, and emergency rescue 
or escape can exceed this duration. 


! POTENTIAL EFFECTS 


1. Loss of or -board personnel. 

2. Stranded free flying module. 

REQUIREMENTS & GUIDELINES!" 


1. D Space Station modules which are used in the free flying docking 

mode shall be provided with redundant means for communication, 
guidance, control, power, propulsion, and other functions critical 
to the docking. 

2. E The operational status of systems on Space Station modules which 

are used in the free flying docking mode, including redundant 
systems, shall be verified before the module is separated from 
the orbiter or station, 

3. F Emergency procedures shall be available for the orbiter to pursue 

and, if possible, dock to a Space Station module used in the free 
flying module docking mode which has lost control. These pro- 
cedures shall allow personnel escape or rescue within their life 
support capability. 

4. G Pressure suits and back packs shall be provided for all personnel 

on-board Space Station modules used in the free flying module 
docking mode. These suits shall be suitable for emergency EVA 
escape to a nearby Space Station or orbiter. 


resolved HAZARD 
residual hazard I X 

TP T-SS-313* 


RECOMMENDED (X) OR NOT (- ) — 
NO. OF HRPS (1. 2, 3, 4 ) —> 
REQUIREMENT (R) OR GUIDELINE (G)- 
PREVENTIVE (P) OR REMEDIAL (R) - 



CODE RGD REF. 


- 1 R P 


- 4 R P 


- 4 R R 


- 2 R R 


X X X X 
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HAZARD/EMERGENCY 

Loss of life support capability during docking by manned free flying module. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
REQUIREMENTS & GUIDELINES (continued) 


5.H An airlock capability which allows all on-board personnel to 
perform EVA emergency escape shall be provided on-board Space 
Station modules used in the free flying module docking mode. 
This may be provided by a separate 2-man airlock, or may be 
an integral capability of the whole module. t 

6.1 Emergency life support capability for all on-board personnel 
shall be provided on Space Station modules used in the free 
flying docking mode until emergency escape or rescue can be 
achieved. 


CODE |RGD REF. 


- 1 R R 


- 2 R R 


D-rl05 
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PROGRAM 


SHUTTLE 

X 

SORTIE 

X 

STATION 

X 


NO. 

3.1.001 

■ 

DATE 

12-17-71 

_J 


MAZARD/EMERGENCY 


SOURCE 


Fire/ toxic environment. 




1. The fire and/or toxic environment is severe enough to require evacuation from 
the immediate area, but does not result in personnel injury. 

2. Means are available for extinguishing fires and getting rid of toxic environments, 
which can be activated remotely from other compartments. 

3. The immediate sphere of influence of the fire or toxic environment is of the 
order of 3 m. (10 ft) diameter. 


.. Loss of personnel from a contaminated environment and/or heat. 
2. Loss of vehicle. 


REQUIREMENTS t GUIDELINES I 


CODE I RGDREF. 


The orbiter shall be divided into two or more compartments 
which can be rapidly sealed off in an emergency to prevent the 
Ingress of flames and contaminated atmosphere from the other 
compartment (s) . Each of these compartments shall be capable 
of accommodating all on-board orbiter personnel until the fire 
and/or toxic environment can be eliminated and a habitable 
environment restored. 

Capability shall be provided to reduce the pressure in each 
compartment sufficiently, or increase it in the adjoining com- 
partment (s) and to cut off air circulation, so that in an emer- 
gency the atmosphere in the affected compartment will not be 
propagated into adjoining compartments. This capability shall 
be controlled remotely from each compartment. 

Automatic venting capability shall be provided in each compart- 
ment so that in the event of a fire or release of gases within 
the compartment the pressure will not exceed the structural 
limits of the structure or the capability of seals to other com- 
partments to exclude the contaminated atmosphere. 


X 1 R R IV-3.1 


2 R R JlV-3.2 
V-I-3.2 
K-III-3.: 


S 2 R R IV-3.2 
V-I-3.2 
7-111-3,2 

i 

X X X X 




,X) OR ROT (-) 
i) OR 8UI0D.IM 


■D-106 
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HAZARD/EMERGENCY 
Fire/toxic environment. 


PAGE 2 OF 2 


• 

o 

z 

3.1.001 

DATE 

12-17-71 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (Cont) 

4C. Normally habitable compartments of more than 25 m^ (880 ft^) 

in volume shall have two or more exits into areas which provide 
for personnel survival. These exits shall be at least 3 m. 

(10 ft) apart. 


CODE 
X 1 R R 


RGD REF . 

IV- 3.1 

V- I-3.1 
v-iii-3.: 


5D. Flammable, explosive or gas generating material shall be located, X 1 R R IV-3.1 
or the energy content limited, so that the energy content which V-I-3.1 

can be propagated at any one location shall not result in over- V-III-3. 1 

pressurization of the compartment from heat and gas production. 


Flammable explosive or gas generating material within 3 m 
(10 ft) of the entrance to compartments with only one entry/ 
egress path shall be limited so that the energy content, if 
released, will not result in damage or an environment which 
prevents shirtsleeve access through the entrance. 


X 1 R R IV-3.1 
V-I-3.1 

V-III-3. 1 








£1^ Space Division 
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PROGRAM 


SHUTTLE 

SOtTIE 

STATION 


NO. 

3.1.002 

■ 

DATE 

12-17-71 

_J 


HAZARD/EMEROENCY 


SOURCE I H-4.1 





1. The explosion is severe enough to Incapacitate personnel in the .immediate vicinity, 
but not to cause catastrophic damage to the vehicle or module. 

2. Fire, toxic contamination and loss of pressure may result from the explosion 
(see other hazard /emergency analyses). 

3. The affected compartment or module may not be habitable until major repairs 
are made (in space or on the ground) . 


1. Loss of personnel from immediate effects or from lack of medical treatment and 
loss of habitable environment. 


2 . Loss of vehicle . 


REQUIREMENTS 4 GUIDELINES 


IF. Capability shall be provided for the emergency shirtsleeve 

survival of all on-board personnel until the next resupply or 
emergency shuttle flight following the loss of access to any one 
module/compartment and the loss of equipment and supplies in that 
module/ compartment. A shirtsleeve accessible docking port shall 
be available. If the loss of the module /compartment divides the 
station into two or more isolated habitable sections, then each 
section shall provide the survival capability for all on-board 
personnel, including an available docking port. 

2A. Capability shall be provided to reduce the pressure in each 

compartment sufficiently, or increase it in the adjoining com- 
partment^) and to cut off air circulation, so that in an emer- 
gency the atmosphere in the affected compartment will not be 
propagated into adjoining compartments. This capability shall 
be controlled remotely from each compartment. 

3B. Automatic venting capability shall be provided in each compart- 
ment so that in the event of a fire or release of gases within 
the compartment the pressure will not exceed the structural 
limits of the structure or the capability of seals to other com- 
partments to exclude the contaminated atmosphere. 



RCCflPMCIMD 

NO* OF HRM 
RCOUIREMNT 
WHRTM 


X) OR NOT (-) 
i) Oft 0U1M.IN 


(F) OR Ml 
TD-108 


CODE I RGD REP. 


X 1 R R V-III-3.1 


2 R R IV-3.2 
V-I-3.2 
Y-III-3. 


2 R R ffV-3.2 

IV— I— 3 . 2 

v-111-3. 

t X X X 











z 

o 

m 

3.1.002 

mm 

12-17-71 


HAZARD/EMERGENCY 

Explosion. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 
REQUIREMENTS & GUIDELINES (Cont) 


4C. Normally habitable compartments of wore than 25 m^ (880 ft^) 

in volume shall have two or more exits into areas which provide 
for personnel survival. These exits shall be at least 3 m. 

(10 ft) apart. 

5D. Flammable, explosive or gas generating material shall be located 
so that the energy content which can be propagated at any one 
location shall not result in overpressurization of the compart- 
ment from heat and gas production. 

6E. Flammable explosive or gas generating material within 3 m 

(10 ft) of the entrance to compartments with only one entry/ 
egress path shall be limited so that the energy content, if 
released, will not result in damage or an environment which 
prevents shirtsleeve access through the entrance. 

^ * 

' * TVo or more entrances into normally habitable compartments 
of more than 25 m3 (880 ft3) in volume shall be shirtsleeve 
accessible from each of the other normally inhabited compart- 
ments. These entrances shall be at least 3 m (10 ft) apart. 


CODE RGD REF. 


X 1 R R IV-3.1 

V-I-3.1 

V-III-3.1 


X 1 R R IV-3.1 

V-I-3.1 

V-III-3.1 


X 1 R R IV-3.1 
V-I-3.1 
V-III-3.1 


X 1 R R IV-3.1 
V-I-3.1 
V-III-3.1 


8G. Emergency capability shall be provided on orbiter flights with 
a manned sortie module for the return to earth of all the pass- 
engers in the orbiter, without support from the sortie module. 

9H. Emergency capability shall be provided on manned sortie modules 
for the return to earth of all the passengers in the sortie 
module, without life support from the orbiter. 

10. The orbiter crew shall not enter manned sortie modules during 
the conduct of hazardous experiments. 


7 1 R R IV-3.1 


X 1 G R IV-4.3 
V-I-3.1 


X 4 R R IV-3.4 

IV- 4.3 

V- I-3.4 
V-I-4.1 


D-109 
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rv 
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Space Division 

No»th American Rockwell 


PROGRAM 

SHUTTLE 

X 

SORTIE 

X 

STATION 

X 


HAZARD/EM£ROENCV~[ 


Page 1 of 1 


NO. 

3.1.003 

DATE 

12-17-71 


SOURCE 


rn-4.i 


1 


Emergency evacuation 


AS5UJUWI6KIS T 

1. No catastrophic accident (such as a fire or explosion) has yet happened at the 
time evacuation Is required. 

2. Evacuation can be performed fairly deliberately — i.e., in minutes rather than 
in seconds. 

3. The evacuated compartment cannot be occupied again on that mission. 

4. The stilted orbiter crew can still have access to the crew compartment to return 
the orbiter to earth. 

I POTENTIAL EFFECTS | 


Not determinable. 


REQUIREMENTS 4 GUIDELINES 


I 


CODE 


ROD REF. 


IF. 


Capability shall be provided for the emergency shirtsleeve 
survival of all on-board personnel until the next resupply or 
emergency shuttle flight following the loss of access to any one 
module /compartment and the loss of equipment and supplies In that 
module /compartment. A shirtsleeve accessible docking port shall 
be available. If the loss of the module /compartment divides the 
station Into two or more isolated habitable sections, then each 
section shall provide the survival capability for all on-board 
personnel, Including an available docking port. 


X 1 R R 


y-m-3.i 


2G. Emergency capability shall be provided on orbiter flights with 
a manned sorlte module for the return to earth of all the pass- 
engers in the orbiter, without support from the sortie module. 


K 1 R R 


IV-3.1 


SI. Emergency capability shall be provided on manned sortie modules 
for the return to earth of all the passengers in the sortie 
module, without life support from the orbiter. 


R 1 G R 


IV-4.3 

|V-I-3.1 


RKHKWOCD U) OR NOT (-) 

no. o r mn h. *. i. O 

WmTIu 


liOLVIP HAZARD __ 

Biiwtfc wane i n 


XXIX 


mm 

»n_ii A 


ML 


tWL 
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HAZARD/EMERGENCY ANALYSIS 


Space Division 

North American Rockwell 


NOGRAM 

SHUTTLE 

X 

SORTIE 

X 

STATION 

X 


HAZARD/EMEtOENCY [ 


Loss of pressure . 

| ASSUWTi5Kis | 


Page i of 2 


NO. 

3.1.004 

DATE 

12-17-71 


SOURCE I 11-4.1 1 


1. Minutes of reaction tine are available before physiological Impairment or injury 
will result, and emergency evacuation to another compartment, or emergency 
donning of space stilts which do not require pre-breathing, is possible if 
these are available. 

2. The source of leakage may not be detectable and repairable during the mission. 


I wiM T ttiTH iefri 


1. Loss of personnel. 

2. Loss of vehicle. 


I REQUIREMENT S A GUIDELINES \ 


CODE 


RGD REF. 


IP. 


Capability shall be provided for the emergency shirtsleeve 
survival of all on-board personnel until the next resupply or 
emergency shuttle flight following the loss of access to any one 
module /compartment and the loss of equipment and supplies in that 
module /compartment. A shirtsleeve accessible docking port shall 
be available. If the loss of the module/compartment divides the 
statl •</ into two or more isolated habitable sections, then each 
section shall provide the survival capability for all on-board 
personnel, including an available docking port. 


UC 1 R R 


fo-III-3. 


2G. Emergency capability shall be provided on otbiter flights with 
a manned sortie module for the return to earth of all the pass- 
engers in the orblter, without support from the sortie module. 


E1XR 


IV-3.1 


3H. Emergency capability shall be provided on mann ed sortie modules 
for the return to earth of all the passengers in the sortie 
module, without life support from the orblter. 


DC 1 G R 


IV- 4.3 

V- I-3.1 


•;\Y 




XXXI 



D-lll 



* « •S’*’**-' V* - ^T***#*' 




HAZARD/EMERGENCY 
Loss of pressure. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEFT I.) 

REQUIREMENTS & GUIDELINES (Cont) 

A. Pressure suits and attendant life support shall be provided for 
the orblter crew on every flight. 

5. Pressure suits and attendant life support shall be provided for 
all orbiter/sortle nodule passengers on missions where the con- 
figuration does not provide two separate pressurlzable compart- 
ments capable of returning all passengers to earth. 

>1 . Orblter equipment required for returning the orblter to earth 
shall be capable of operating In a depressurized environment. 
The controls for this equipment shall be operable by crewmen 
in pressure suits. 


CODE RGD REF. 


X 2 R R IV-3.2 


X 2 R R IV-3.2 

IV- A.3 

V- I-3.2 
V-I-4.1 

X 1 R R IV-3.1 










Space Division 

North American Rockwell 


HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


HAZARD/tMERGENCY 


Page 1 of 1 

NO. 3.1.005 

..." 12-21-71 


SOURCE I H-4.1 


Failure to open Internal hatch between pressure isolatable volumes. 




1. Spacecraft may be operated with Internal hatches open or dosed* as found 
convenient* and irrespective of safety recommendations. 


1. Entrapment of personnel with insufficient life support or inability to 
leave vehicle. 


2. Inability to reach critical supplies or equipment. 


REQUIREMENTS A GUIDELINES 


CODE I RGD REF. 


sleeve ingr 
ule, redund 
ng hatch Ces 


ded in 
ail able f 


IV-3.1 


if 





















PROGRAM 


41^ Space Division 

North American Rockwell 


HAZARD/EMERGENCY ANALYSIS 


SHUTTLE 

X 

SORTIE 

X 

STATION 

X 


1 HAZARO/tMERGENCV | 

Failure to open docking hatch after docking, 


Page 1 of 1 

NO. 3.1.006 

DATE 12-21-71 

I SOURCE I II-A.l 


1. Docking interfaces for normal missions Involving docking hatches exist between 

a) Orbiter and manned sortie modules 

b) Orbiter and space station modules 

c) Space station modules and space station 

2. The inoperative hatch may on either one of the interfacing vehicles. 


1. Isolation of personnel in a spacecraft with insufficient life support or 
inability to return to earth. 

2. Inability to continue mission. 

1 REQUIREMENTS A GUIDELINES] COPE 

1. Personnel shall not be allowed in a sortie or space station X A R 

module during repositioning of the module from one docking 

port tc another. 

2. The space station shall be configured so that it always has at X 1 R 

least two docking ports available which can accommodate a shuttle 
orbiter resupply or rescue mission. 

3. Emergency life support capability shall be available on the space X 1 R 
station following the non-arrival of the next planned orbiter 

until the following resupply or rescue orbiter flight. 


CODE 

RGD REF. 

X A R R 

IV-A.l 


IV-A.3 


V-I-3.A 


V-III-3. 

X 1 R R 

V-III-3. 

X 1 R 

-Ill- 3.1 


RSC0WINDCD 

no. * mn 


;i) ON NOT I- 
r| OR 0UI0CL1 


RtqVIRQCNT (R) OR OUIOCLINt («)■ 
KEVCNTlff (R) ON NDCDUL (R) - 


ix X X X 
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SORTIE 

STATION 


VlS S pace Division 
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NO. 

3.1.007 

DATE 

12-21-71 


hazard/emergency 


Failure to close docking hatch before undocking. 


SOURCE 


Docking Interfaces for normal missions involving docking hatches exist between: 

a) Orbiter and manned sortie modules 

b) Orbiter and space station modules 

c) Space station modules and space station 

The Inoperative hatch may be on either one of the interfacing vehicles. 

Space station personnel ascent to orbit and return to earth in the orbiter crew/ 
passenger compartment, not in the space station modules. 




1. Inability to undock. 

2. Inability to return orbiter to earth. 


REQUIREMENTS 


GUIDELINES 




mo mma w) or hot (-) — 
fc& Sr 111 ot m&m («T 

MfVBITm (r) OR REHSIM. (R) - 

" D-l*5 


CODE 


RGD REF. 


LF. Capability shall be provided for the emergency shirtsleeve 

survival of all on-board personnel until the next resupply or 
emergency shuttle flight following the loss of access to any one 
module/compartment and the loss of equipment and supplies in that 
module /compartment. A shirtsleeve accessible docking port shall 
be available. If the loss of the module/compartment divides the 
station into two or more isolated habitable sections, then each 
section shall provide the survival capability for all on-board 
personnel, including an available docking port. 

2. Manned sortie modules and space station modules shall be designed 
so that they can be undocked, retrieved into the orbiter, cargo 
bay and returned to earth unpressurized. 


3. Capability shall be provided to depressurize docked modules 
before undocking. 


x l R R hr-m-3. 


1 G R IV-4.1 

IV- 4.3 

V- I-3.1 
7-III-3.1 


1 R R 


v-I-3.1 

f-III-3.1 


XXIX 









HAZARD/EMERGENCY 

Failure to close docking hatch before undocking. 


(LIST ADDITIONAL CONTENT IN THE ORDER OF SHEET I.) 

REQUIREMENTS & GUIDELINES (Cont) 

4G. Emergency capability shall be provided on orbiter flights with 1 
a manned sortie module for the return to earth of all the pass- 
engers in the orbiter, without support from the sortie module. 

5H. Emergency capability shall be provided on manned sortie modules 
for the return to earth of all the passengers in the sortie 
module, without life support from the orbiter. 

61. Orbiter equipment required for returning the orbiter to earth 
shall be capable of operating in a depressurized environment. 
The controls for this equipment shall be operable by crewmen 
in pressure suits. 


CODE RGD REF 
X 1 R R IV-3.1 


X 1 G if IV-4.3 
♦V-I-3.1 


X 1 R R IV-3.1 


L6 












NOGRAM 


SHUTTLE 

SORTIE 

STATION 


Space Division 

North American Rockwell 
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NO. 

3.1.008 


DATE 

12-21-71 



HAZARD/! MERGE NC Y 


Inability to use docking hatch for EVA when EVA required. 


SOURCE I H-4.1 


1. Contingency EVA may be required to correct a problem which interferes with the 
use of the docking hatch; e.g., the orbiter manipulator has jammed the docking 
mechanism on a docked module without sealing the interface. 


2. The normal EVA egress is via a docking hatch. 





Inability to perform contingency EVA when required, 


REQUIREMENTS & GUIDELINES 




A backup EVA egress/ingress hatch which can be used for contin- 
gency EVA shall be available. Capability for depressurization 
and repressurization of the connecting compartment /module shall 
be provided. 


CODE RGD REF. 


X 1 R R IV-3.1 
7-III-3. 


iv» HA// ll 
SKr HAZARD I 


X) OR NOT ( - 
NO. O F MOPS (1. t, J, 47 
KOIIRDCIIT (R) OR OU10D.il 
mVCNTlVE (F) OR RBCD1AL 

- D-117 “ 


nr 


■ 









*»*• ♦♦ 


Space Division 

^ North American Rockwell 


HAZARD/EMERGENCY ANALYSIS 


Page 1 of 1 


PROGRAM 


SHUTTLE 

X 

SORTIE 


STATION 

X 


NO. 

3.1.009 

DATE 

12-21-71 


HAZARD/tMEROENCV f 


SOURCE 


II-4.1 


Failure to dose external airlock hatch when returning from EVA. 

| I 'aHumptiqns j 

1. This emergency is considered only for missions in which EVA is planned as 
part of the normal operations. 


i 


POTENTIAL EFttW 


1. Inability of EVA personnel to return into spacecraft. 

I REQUIREMENTS A GUIDELINES T 

1J. A backup EVA egress /ingress hatch which can be used for contin- 
gency EVA shall be available. Capability for depressurization 
of the connecting compartment /module shall be provided. 

2K. On orb iter missions without attached manned sortie modules in 
which EVA is planned as part of the normal mission, pressure 
suits shall be carried for all on-board personnel. 

3. Dual external hatches shall be provided on airlocks, either one 
of which can seal the airlock against the space vacuum. 


X 1 R R 


X 4 R R 


- 1 G R 


CODE 


X X X X 



RCC9MCN0CD (X) OR JOT (-) — 

w, or mvs Ji. t. s, O ~ 

w&MMSW- 

p-118 — 


ROD REF. 


IV-3.1 . 
-n.x-3.1 


IV-3.4 


* 

& 

* 

. * 
A 


1 


II 


' L 



MOOR AM 


SHUTTLE 

SORTIE 

STATION 


Space Division 

North American Rockwell 
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NO. 

3.1.010 


DATE 

12-21-71 



hazard/emeroency 


SOURCE II-4.1 


Failure to open internal airlock hatch when returning from EVA. 


iIMZM 


1. This emergency is considered only for missions in which EVA is planned as 
part of the normal operations. 


1. Inability of EVA personnel to return into spacecraft. 


REQUIREMENTS 4 GUIDELINES 


Jul. A backup EVA egress /ingress hatch which can be used for contin- 
gency EVA shall be available. Capability for depressurization 
of the connecting compartment /module shall be provided. 

2K. On orbitar missions without attached manned sortie modules in 
which EVA is planned as part of the normal mission , pressure 
suits shall be carried for all on-board personnel. 

3. Dual internal hatches shall be provided on airlocks, either one 
of which can provide access to the spacecraft. 


CODE I ROD REF. 


X 4 R R 









REPRODUCIBILITY OF THE ORIGINAL PAGE <S POOR 



Space Division 

North American Rockwell 


HAZARD/EMERGENCY ANALYSIS 


PROGRAM 


SHUTTLE 

SORTIE 

STATION 


NO. 

3.1.011 


DATE 

12-21-71 



HAZARD/EMERGENCY 


SOURCE ? II-4.1 


Failure to close IVA airlock hatch on depressurized/contaminated side or to open 
hatch on pressurized/habitable side when returning from IVA. 


Wi«KlAIM2H 


IVA as a planned activity is carried out on the Space Station only. 

1. This emergency is not considered on the orbiter or sortie modules. 

I. IVA suits can be used in an emergency in an EVA mode. 

i. Planned IVA will use umbilicals rather than back-packs for life support, 


Inability for IVA personnel to return to a habitable environment. 


REQUIREMENTS A GUIDELINES 


CODE I ROD REF. 


1. An emergency IVA or EVA return route shall be available for any X 
planned IVA activity independent of the normal IVA airlock route. 

Depressurization and repressurization capability shall be provided 
for the additional compartment (s) or module(s) which must be used. 

2. Emergency portable life support systems shall be available in the X 2 R R |v-m 
airlock sufficient to sustain IVA personnel in an emergency IVA 
or EVA return from a planned IVA activity. 



RESOLVED HAZARD 
RSIDUAL HAZARD 


ttCONKNOCD (X) OR NOT (-) 
NO. Of HRRS (1. I. 3 ■ 



OR REMEDIAL (A 


i 










